Industry News

Developer Hacks Back Against Ransomware Attackers and Steals Decryption Keys

A victim of Muhstik ransomware paid the attackers to decrypt his data, and then undertook a different kind of payback – he took revenge by hacking into the server and stealing the decryption keys, only to release them for free to anyone who needed them.

 Successful ransomware attacks rarely end on a satisfying note. Even if the victim pays the ransom and receives a key to decrypt the content, money and time are lost. But at least, in this case, the victim managed to disrupt the attacker’s operation.

Software developer Tobias Frömel explained that his QNAP TVS vNAS Server was compromised by Muhstik ransomware. In total, 14 terabytes of data were encrypted, and he chose to pay a €670 ransom to get it back.

“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks,” explains the QNAP advisory. “We strongly recommend that users act immediately to protect their data from possible malware attacks.”

Frömel’s attackers used brute force to bypass the phpMyAdmin credentials, and the path was open. After paying the ransom, Tobias figured out that he can strike back by retrieving the database from the criminal’s server, which contained 2,858 decryption keys.

The developer published all the keys on Pastebin and created a decryptor for anyone affected by the ransomware. Frömel’s actions were technically illegal, but he has since contacted the authorities.

About the author

Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between. He's passionate about security and the way it shapes the world, in all aspects of life. He's also a space geek, enjoying all the exciting new things the Universe has to offer.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.