A victim of Muhstik ransomware paid the attackers to
decrypt his data, and then undertook a different kind of payback – he took
revenge by hacking into the server and stealing the decryption keys, only to
release them for free to anyone who needed them.
Successful
ransomware attacks rarely end on a satisfying note. Even if the victim pays the
ransom and receives a key to decrypt the content, money and time are lost. But
at least, in this case, the victim managed to disrupt the attacker’s operation.
Software developer Tobias Frömel explained that his QNAP
TVS vNAS Server was compromised by Muhstik ransomware. In total, 14 terabytes
of data were encrypted, and he chose to pay a €670 ransom to get it back.
“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks,” explains the QNAP advisory. “We strongly recommend that users act immediately to protect their data from possible malware attacks.”
Frömel’s attackers used brute force to bypass the
phpMyAdmin credentials, and the path was open. After paying the ransom, Tobias
figured out that he can strike back by retrieving the database from the
criminal’s server, which contained 2,858 decryption keys.
The developer published all the keys on Pastebin and created a decryptor for anyone affected by the ransomware. Frömel’s actions were technically illegal, but he has since contacted the authorities.