German Programmer ‘Hacks Back’ After Bitcoin Ransomware Attack

Published at: Oct. 9, 2019

German programmer Tobias Frömel (also known as “battleck”) has “hacked back” the perpetrators of the Muhstik ransomware who forced him to pay 0.09 Bitcoin (BTC) to recover access to his files.

In a Bleeping Computer forum post on Oct. 7, Frömel revealed that he had hacked the attackers’ database, sharing almost 3,000 decryption keys and a free decryptor with fellow victims.

Illegal but sweet revenge

Bleeping Computer previously reported that publicly exposed QNAP NAS devices have been targeted by ransomware dubbed Muhstik. The attackers extorted a fixed “fee” of 0.09 Bitcoin — roughly $740 at publishing time — from victims to recover access to their data via decryption keys.

Having himself paid €670 to the perpetrators, Frömel hacked their command and control server in revenge. He told Bleeping Computer that he had succeeded in retrieving the unique Hardware IDs (HWIDs) and decryption keys for the 2,858 Muhstik victims stored in the attackers’ database.

Victims have since confirmed in BleepingComputer's Muhstik support and help forum that the HWIDs are accurate and that the decryptor works.

Having succeeded in his task, Frömel conceded that his action was illegal, but argued that it was well-intentioned. He also provided a Bitcoin wallet address for fellow victims to tip him for his labor.

Since Frömel’s work, anti-virus firm Emsisoft has released decryption software for victims running ARM-based QNAP devices, which reportedly were not supported in Frömel’s release.

A growing threat

Last month, Emsisoft also released a new free fix for the Bitcoin-demanding ransomware WannaCryFake.

In August, Cointelegraph reported that McAfee Labs’ research indicating that ransomware attacks had increased by 118% in the first quarter of 2019.

Tags
Related Posts
Did Jack Daniels Thwart a Ransomware Attack or Not?
Ransomware gang REvil, known also as Sodinokibi, claims to have mounted a successful attack against the U.S. wine and spirits giant, Brown-Forman Corp — but the company claims otherwise. The company is the official manufacturer of Jack Daniels whiskey. According to cybersecurity services provider, AppGate, the famous alcoholic beverages manufacturer did fall victim to an attack but refused to pay the ransom demanded by REvil. However, Brown-Forman Corp told Infosecurity-Magazine in a statement they had successfully prevented cybercriminals from encrypting its files. This does not necessarily mean the gang’s claim to have compromised the internal network and stolen sensitive data …
Bitcoin / Aug. 20, 2020
Ransomware Gang Auctions Off US Healthcare Data for Bitcoin
Crozer-Keystone Health System recently suffered a ransomware attack by the NetWalker ransomware gang. The gang is now auctioning the system’s stolen data through its darknet website. If it is not purchased at auction within six days, the gang has vowed to leak the data. On June 19, Cointelegraph was able to access the alleged publication. There appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients. The gang claims that Crozer-Keystone Health System failed to pay for the ransom they demanded in Bitcoin (BTC). Crozer-Keystone is a …
Bitcoin / June 19, 2020
McAfee Says NetWalker Ransomware Generated $25M Over 4 Months
Cybersecurity firm McAfee released a study showing the activities of NetWalker, a ransomware first known as Mailto that was initially discovered in August 2019. According to the report, the operators of NetWalker have collected over $25 million from ransom payments since March 2020. From March 1 to July 27, the group collected around 2,795 Bitcoin (BTC), purportedly making it one of the most profitable types of ransomware for cybercriminals. According to the report, the Bitcoin transactions received by the gang — where the amount is split among several different addresses — reflects that NetWalker is a "ransomware-as-a-service" malware. Such a …
Bitcoin / Aug. 4, 2020
English Football Club Hit With Multi-Million Dollar Ransomware Attack
The UK National Cyber Security Centre released a report on July 23 that discloses a growing trend in ransomware attacks against the sports sector. They noted a recent example in which attackers demanded that an English Football League club, or EFL, pay a multi-million dollar ransom in Bitcoin (BTC). According to the Cyber Threat to Sports Organizations paper, the unnamed club was targeted by ransomware that crippled their corporate security systems. The ransom amount requested was 400 BTC ($3.66 million). The club declined to pay, resulting in a loss of their stored data. The attack could have had a great …
Bitcoin / July 23, 2020
Research Suggests Russian-Based Hackers Behind Ryuk Ransomware’s $2.5 Million Gains
A recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin (BTC) ($2.5 million) likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought. The development was reported on The Next Web’s crypto-focused news site Hard Fork on Jan. 14. Hard Fork cites evidence from cybersecurity research teams McAfee Labs and Crowdstrike, which have analyzed the strategies used in developing and disseminating the Ryuk ransomware strain, and concluded that the identity and motivations of its masterminds have most likely until now been misreported. The Ryuk campaign notably attracted wide attention following its targeting of major …
Bitcoin / Jan. 14, 2019