An intruder has hacked and encrypted publicly exposed QNAP NAS devices since the end of September. This ransomware was dubbed Muhstik based on the.muhstik file extension. The intruder would then take 0.09 bitcoins to get his files back, or about $700 USD.
Hacks for Victims home
Upon paying a € 670 rescue, Tobias Frömel, a survivor, said that enough was enough and hacked the attacker’s command and control server back. Frömel told that the database contained web shells that allowed him to access the PHP script for a new victim to generate passwords. Below you can see the relevant portion of the PHP script from the server which produces and inserts a key into the database. Encryption key generation in ransomware server Frömel told us that he used the same web shell for creating a new PHP file based on the key generator and used it to generate HWIDs special per victim and the 2.858 Muhstik victim decryption keypads stored in the server. The HWIDs and their corresponding decryption keys were then exchanged with the victims in the Muhstik support and help discussion and the victims in Twitter. This post has a reference to the Pastebin keys and a free Mega decrypter. (Update: See end of article for Emsisoft’s Windows decryptor). Victims have verified that the decrypter works and they can decrypt their files in our help section. Decrypting files BleepingComputer also reported that the keys for victims who in the past asked for help can be found on the Frömel database. This was a good weekend for ransomware survivors, as the HildaCrypt Ransomware keys were also released on Friday. Update 10/7/19 5:43 PM EST: Emsisoft has released a decrypter running on Windows to decrypt the Muhstik Ransomware encrypted data. Using the decrypter, you only have to indicate a ransom note on your device and a decryption key will be downloaded automatically from Emsisoft’s servers and attached to the decrypter.