A ransomware victim got revenge by hacking into his Bitcoin-demanding attacker’s systems and releasing their decryption keys on the internet.

This could be the most satisfying ransomware story ever.

Over the past few weeks an attacker has been hacking into publicly exposed QNAP Network Attached Storage devices and encrypting the files with the Muhstik Ransomware.

They weren’t too greedy though, demanding a fairly affordable ransom of 0.09 Bitcoin or around $700, for the key to decrypt the files.

After European computer expert Tobias Fromel had his files encrypted, he paid the equivalent of 670 Euro to get them back – but instead of getting mad, he got even.

How the hacked became the hacker

He told Bleeping Computer how he hacked into the attacker’s command and control server.

“The server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim.

“He used the same web shell to create a new PHP file based on the key generator and used it to output the HWIDs, which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database.”

Fromel then uploaded the keys to Pastebin and a free decryptor tool to Mega.

He added links to the two resources in a help and support forum about the Muhstik ransomware variant to enable victims to recover their files without paying.

FURTHER READING: Ransomware fighter on the run after costing hacker gangs millions.

Ransomware attackers often suck at coding

Brett Callow from New Zealand owned ransomware security specialist firm Emsisoft told Micky the company had built on Fromel’s hard work to release a more thorough decryption tool.

That’s because, just as in many cases before, the attacker was actually quite poor at coding and their decryption tools didn’t work for some victims

“Even though the keys were available, not everyone could use them because the bad guy’s decryption tool didn’t work for all victims (it’d work on some QNAPs, but not on others) “So,” Callow said.

“We released a tool that works on all of ‘em.”

Victorian hospitals hit by ransomware attack

The good news ransomware story comes just a week and a half after a number of Victorian hospitals had their computer systems shut down by a ransomware attack that affected elective surgeries, patient services and staff payrolls.

Hospitals in the Gippsland Health Alliance and the South West Alliance of Rural Health were affected in the attack.

Further reading: Ransomware attacks up 365% – why victims are paying up

Another good news story this week

It’s actually been a good week in terms of free ransomware decryption tools being released on the internet.

In another case the developer who created the HildaCrypt ransomware released the decryption keys himself.

After it was identified in the past week, the attacker came forward and said he’d he’d created it for laughs, no end users had yet been affected and said “It was mainly an educational thing really” .

He decided to release the keys in case “some kid gets a hold of these binaries I hope the keys would be of some use”.