Ransomware Victim Hacks His Hackers

October 10, 2019 / by Crypto.IQ

A user got to counter the ransomware attackers that encrypted his files by hacking their server and releasing the decryption keys for all other victims.

This incident involved the Muhstik ransomware. Muhstik is a recent strain of ransomware that has been active since late September, according to reports.

This ransomware targets network-attached storage (NAS) devices made by Taiwanese hardware vendor QNAP. The cybercriminals behind the Muhstik ransomware target QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service.

After gaining access to the phpMyAdmin installation, Muhstik operators encrypt users’ files and save a copy of the decryption keys on their server.

A German programmer, Tobias Frömel, was the victim of a ransomware attack and decided to pay the ransom of 0.09 BTC to recover his files. In a turn of events, Frömel decided to return the favor and hacked his hackers.

After decrypting his own data, Frömel analyzed the ransomware software that had infected his NAS drive, figured out how it worked, and hacked back to steal the attackers’ whole database with keys.

He proceeded to post the 2,858 decryption keys in a text file on Pastebin allowing victims to decrypt their files without paying the ransom. Besides releasing the decryption keys, the German programmer also published decryption software that all Muhstik victims can use to recover their files.

While Frömel’s actions are overall beneficial for all victims of the ransomware, the programmer himself stated that his actions are not legal – still he is “not the bad guy”.

Despite Frömel’s actions being against the law, it’s unlikely that authorities will follow through with prosecution for hacking back the Muhstik perpetrators. However, security researchers are advised to work with authorities when hacking back.

Ransomware Threats Abound

Criminal activity via ransomware has been spreading during most recent years and attackers are often asking for ransom to be paid in cryptocurrencies. Companies, hospitals, and city and county governments have been targeted over the last several years.

In August, over twenty small towns in Texas were hit with a coordinated ransomware attack. While the towns didn’t pay the ransom, the operation of internal departments was heavily hindered for two weeks.

Lake City and Riviera Beach in Florida were also hit with ransomware attacks recently. Both cities paid a total ransomware of around $1 million in bitcoins. While law enforcement advises not paying the ransom to discourage additional attacks, local government structures often struggle to continue operating if their systems are shut down.