Ransomware Victim Hacks Attacker and Releases Decryption Keys

A ransomware attacker got a taste of their own medicine when one of their victims hacked their server and released the decryption keys for other victims to use.

The attacker had used the Muhstik ransomware to encrypt the files of Tobias Frömel, a German software developer. Frömel paid the gang's 670 Euro (US$730) ransom but was still annoyed at what had happened, so he got his revenge.

"I hacked back this criminal and get the whole database with keys," he wrote in a text file - containing over 2,800 decryption keys - he published online. "I know it was not legal from me too but he used already hacked servers with several webshells on it... and I'm not the bad guy here."

Muhstik is a ransomware that appeared at the end of September this year and targets network-attacked storage (NAS) devices made by QNAP. According to a security advisory from QNAP, devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable vulnerable to attack. The ransomware was dubbed Muhstik because of the .muhstik extension on encrypted files.

While Frömel's actions are illegal, it's doubtful charges will be brought against him (especially from the Muhstik attacker) for what many consider to be his 'Robin Hood' actions.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.