Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys
upstart writes for SoyCow9088:
Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys
Since the end of September, an attacker has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. This ransomware has been named Muhstik based on the .muhstik extension appended to encrypted files.
The attacker would then demand 0.09 bitcoins, or approximately $700 USD, for a victim to get their files back.
After paying a ransom of a670, a victim named Tobias Frimel said enough is enough, and hacked back the attacker's command and control server.
Frimel told BleepingComputer that the server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim. The relevant portion of the PHP script from the command and control server that generates a key and inserts it into the database can be seen below.
Frimel told us that he used the same web shell to create a new PHP file based on the key generator and used it to output the HWIDs, which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database.
The HWIDs and their associated decryption keys were then shared with the victims in BleepingComputer's Muhstik support and help topic and with victims on Twitter. This post includes a link to the keys on Pastebin and a free decryptor uploaded to Mega.
Read more of this story at SoylentNews.