German Programmer ‘Hacks Back’ After Bitcoin Ransomware Attack

German programmer Tobias Frömel (also known as “battleck”) has “hacked back” the perpetrators of the Muhstik ransomware who forced him to pay 0.09 Bitcoin (BTC) to recover access to his files.

In a Bleeping Computer forum post on Oct. 7, Frömel revealed that he had hacked the attackers’ database, sharing almost 3,000 decryption keys and a free decryptor with fellow victims.

Illegal but sweet revenge

Bleeping Computer previously reported that publicly exposed QNAP NAS devices have been targeted by ransomware dubbed Muhstik. The attackers extorted a fixed “fee” of 0.09 Bitcoin — roughly $740 at publishing time — from victims to recover access to their data via decryption keys.

Having himself paid €670 to the perpetrators, Frömel hacked their command and control server in revenge. He told Bleeping Computer that he had succeeded in retrieving the unique Hardware IDs (HWIDs) and decryption keys for the 2,858 Muhstik victims stored in the attackers’ database.

Victims have since confirmed in BleepingComputer's Muhstik support and help forum that the HWIDs are accurate and that the decryptor works.

Having succeeded in his task, Frömel conceded that his action was illegal, but argued that it was well-intentioned. He also provided a Bitcoin wallet address for fellow victims to tip him for his labor.

Since Frömel’s work, anti-virus firm Emsisoft has released decryption software for victims running ARM-based QNAP devices, which reportedly were not supported in Frömel’s release.

A growing threat

Last month, Emsisoft also released a new free fix for the Bitcoin-demanding ransomware WannaCryFake.

In August, Cointelegraph reported that McAfee Labs’ research indicating that ransomware attacks had increased by 118% in the first quarter of 2019.