A victim of Muhstik ransomware paid the attackers to decrypt his data, and then undertook a different kind of payback – he took revenge by hacking into the server and stealing the decryption keys, only to release them for free to anyone who needed them.
Successful ransomware attacks rarely end on a satisfying note. Even if the victim pays the ransom and receives a key to decrypt the content, money and time are lost. But at least, in this case, the victim managed to disrupt the attacker’s operation.
Software developer Tobias Frömel explained that his QNAP TVS vNAS Server was compromised by Muhstik ransomware. In total, 14 terabytes of data were encrypted, and he chose to pay a €670 ransom to get it back.
“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks,” explains the QNAP advisory. “We strongly recommend that users act immediately to protect their data from possible malware attacks.”
Frömel’s attackers used brute force to bypass the phpMyAdmin credentials, and the path was open. After paying the ransom, Tobias figured out that he can strike back by retrieving the database from the criminal’s server, which contained 2,858 decryption keys.
The developer published all the keys on Pastebin and created a decryptor for anyone affected by the ransomware. Frömel’s actions were technically illegal, but he has since contacted the authorities.