Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys

A victim of the Muhstik Ransomware has hacked back against his attackers and released close to 3,000 decryption keys for victims along with a free decryptor to get their files back.

Since the end of September, an attacker has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. This ransomware has been named Muhstik based on the .muhstik extension appended to encrypted files.

The attacker would then demand 0.09 bitcoins, or approximately $700 USD, for a victim to get their files  back.

Victim hacks back

After paying a ransom of €670, a victim named Tobias Frömel said enough is enough, and hacked back the attacker's command and control server.

Frömel told BleepingComputer that the server contained web shells that allowed him to get access to the PHP script that generates passwords for a new victim. The relevant portion of the PHP script from the command and control server that generates a key and inserts it into the database can be seen below.

Frömel told us that he used the same web shell to create a new PHP file based on the key generator and used it to output the HWIDs, which are unique per victim, and decryption keys for the 2,858 Muhstik victims stored in the database.

The HWIDs and their associated decryption keys were then shared with the victims in BleepingComputer's Muhstik support and help topic and with victims on Twitter. This post includes a link to the keys on Pastebin and a free decryptor uploaded to Mega. (Update: See the end of the article for a Windows decryptor created by Emsisoft).

hey guys,
good news for you all, bad news for me cause i paid already... maybe someone can give me a tip for my hard work ^^
my wallet: 1JrwK1hpNXHVebByLD2te4E2KzxyMnvhb
 
i hacked back this criminal and get the whole database with keys, here it is:
https://pastebin.com/N8ahWBni
 
decryption software:
https://mega.nz/#!O9Jg3QYZ!5Gj8VrBXl4ebp_MaPDPE7JpzqdUaeUa5m9kL5fEmkVs
 
manual:
upload to nas:
"chmod +x decrypt"
"sudo ./decrypt YOURDECRYPTIONKEY"
 
and yeah, i know it was not legal from me too but he used already hacked servers with several webshells on it... and im not the bad guy here :D
 
but its really sad, i lost 670 € to this criminal :'(
 
cheers
battleck aka tobias frömel

Victims have since confirmed in our support topic that the decryptor is working and that they were able to decrypt their files.

BleepingComputer has also been able to confirm that the keys for victims who have requested help in the past can be found in the list released by Frömel.

This has been a good weekend for ransomware victims as the keys for the HildaCrypt Ransomware were also released this Friday.

Update 10/7/19 5:43 PM EST: Emsisoft has released a decryptor that runs on Windows that can be used to decrypt files encrypted by the Muhstik Ransomware.

When using the decryptor, you just need to specify a ransom note on your computer and a victim's decryption key will automatically be downloaded from Emsisoft's servers and added to the decryptor.