Ransomware victim hacks attacker, turning the tables by stealing decryption keys
Someone gets infected by ransomware, and then they pay the ransom. The victim then licks their wounds and hopefully learns something from the experience.
And that’s what happened to Tobias Frömel, a German developer and web designer who found himself paying a Bitcoin ransom of 670 Euros (US $735) after his QNAP NAS drive was hit by the Muhstik ransomware.
However, Frömel didn’t just put down the whole unpleasant episode to experience, vow to better protect his devices, and employ a more reliable backup regime in future.
No, Frömel decided to hack the very people responsible for the attack.
After decrypting his own data, Frömel (who also calls himself “battleck” online) analysed the very ransomware that had infected his NAS drive, determined how it worked, and says that he “hacked back”, stealing the criminal’s “whole database with keys.”
From the sound of things whoever was behind the Muhstik attack was more successful at writing ransomware than securing their own database from a web developer.
In a posting on the Bleeping Computing forum, Frömel admitted what he had done and posted a link to a Pastebin page where he had published the stolen keys, as well as decryption software.
“hey guys, good news for you all, bad news for me cause i paid already… maybe someone can give me a tip for my hard work ^^
Furthermore, in an attempt to do some good and deprive cybercriminals of income Frömel has been seeking out Muhstik victims on Twitter and pointing them towards his decryption keys and instructions on how to recover their data.
Although many may feel tempted to applaud what Frömel did, hacking online criminals is not to be recommended. Frömel himself acknowledges that what he did was against the law, although I would be surprised if he gets into any trouble over it:
“yeah, i know it was not legal from me too but he used already hacked servers with several webshells on it… and im not the bad guy here :D”
The Next Web reports that anti-virus firm Emsisoft tested Frömel’s decryption tool and found that it did not work properly on ARM-based QNAP devices. Anyone attempting to recover such a device from a Muhstik ransomware attack may wish to use Emsisoft’s tool instead.
Of course, prevention is always better than cure, and QNAP issued a security advisory about the threat posed by the Muhstik ransomware against its NAS drives last week, recommending customers act immediately to protect their data from malware attacks.