Programmer Hacks Ransomware Crooks, Releases Decryption Keys

A German programmer has released decryption keys for a strain of ransomware after himself falling victim to the malicious code.

Tobias Frömel, a Bavarian developer and web designer, said he paid 670 euros (£598) to the developers of the Muhstik ransomware after he was hacked.

Muhstik targets NAS storage devices made by Taiwan’s QNAP Systems, according to an advisory released by QNAP last week.

The malware tries common passwords on the internet-connected storage devices and, if it gains entry, encrypts the drives’ contents and charges a ransom to decrypt them.

Reverse hack

Frömel said that after recovering from his own attack he located the control servers belonging to the Muhstik gang and carried out a hack of his own to obtain the group’s database of decryption keys.

He released the more than 2,000 keys in a text file on the Pastebin code snippet website, along with a decryption tool.

“I hacked back this criminal and got the whole database (of) keys,” Frömel said in a message posted to the forums of tech help site Bleeping Computer.

He said he was aware it was “not legal” to hack criminals’ systems, but added, “I’m not the bad guy here.”

White hat

Frömel also contacted authorities and provided information about the Muhstik group, according to a security researcher cited by ZDNet.

So-called “white hat” hacking is a controversial practice that exposes those who engage in it to legal action.

However, researchers have found other means to deduce the decryption keys to some other strains of ransomware, with Bitdefender, for instance, publishing a decryption tool for GandCrab, one of the most widespread variants.

QNAP recommended that users take a range of measures to protect themselves from the Muhstik ransomware, including using strong passwords and disabling the phpMyAdmin tool when possible.