How A Victim Hacked Crypto-Ransomware Hackers And Publicly Released Decryption Keys

Here’s a story of a hacker hacking back the hacker.

It was a roller-coaster week for Tobias Frömel. The Bavarian developer lost access to his data on QNAP server to the Muhstik ransomware. To recover, he paid the Muhstik gang 0.09 BTC ($700 at the time of writing).

And here’s the twist: Tobias hacked the criminal’s database and retrieved around 3,000 keys of other innocent victims, literally pulling a Robinhood move.

He not released these keys for free but also made them public. Victims can now access these keys to recover access to their data.

So What Exactly Happened?

To know this, let us see what exactly is Muhstik ransomware?

Muhstik ransomware is known to specifically target Network Attached Storage (NAS) devices made by Taiwan’s QNAP Systems.

QNAP has a reputation for providing quality hardware used in both non-commercial and enterprise settings. But the ransomware has been plaguing the QNAP’s NAS devices since September.

The Muhstik ransomware tries common passwords (a.k.a. brute-forcing) on internet-connected storage devices and encrypts the drives’ contents upon gaining entry and charges a ransom to decrypt them.

The data can be decrypted only by using a unique decryption key provided after you pay the ransom amount.

Hacking Back The Hackers

Tobias Frömel (a.k.a. battleck), after paying the 0.09 BTC ransom, seeked revenge and located the control servers belonging to the Muhstik ransomware group. He carried out a hack of his own to obtain the group’s database of decryption keys.

He was able to hack and release around 2,858 decryption keys and Hardware ID (HWIDs) stored in the attackers’ database.

Free Decryption For Muhstik – Courtesy Battleck & Emsisoft

Tobias posted the text file containing the keys on the Pastebin, along with a free decryption tool on MEGA (Note: Tobias’ decryptor works only for ARM-based CPUs).

Emsisoft later released a decryptor along with detailed instructions to help decrypt the files — runs on Windows (x86 based CPUs).

Being The White Hat

Such act of hacking back isn’t exactly legal — Tobias too acknowledged this in his forum post on Bleeping Computer.

bleeping_computer_battleck_muhstik.png
Source: Bleeping Computer

“White Hat” in hacking refers to an ethical computer hacker who puts his or her skills to good use and finds out vulnerabilities and flaws in the system.  

It would have been better if he had informed and worked alongside authorities. But here’s the downside: it takes a lot of time. Especially when you involve government agencies. Tobias took the quick route of working on his own to get back at the perpetrators.

It seems unlikely that he will be facing any ramifications. A ZDNet report also indicates of a security researcher making the authorities aware of the situation.

Tobias has also taken to Twitter, notifying other victims to not pay for the ransom and his decryption software is available for free.

Not Something New

Ransomware attacks aren’t new. They are quite common and you may have heard of some of these attacks in the news over the last few years

Muhstik is the third ransomware strain to have been spotted this year targeting NAS devices specifically.

A Good Year For Ransomware Victims

This has been a good year for ransomware victims as the keys for the HildaCrypt Ransomware were also released last Friday. 

A free decrypter was also released for eCh0raix, a similar ransomware that targets NAS devices in particular, in August.

Related post

Leave a Reply

Your email address will not be published. Required fields are marked *