Ransomware Muhstik Target Hacks Back, Drops Decryption Keys


A survivor of Muhstik Ransomware hacked back his attackers and released nearly 3,000 decryption keys, together with a free decrypter to get their files back.

An intruder has hacked and encrypted publicly exposed QNAP NAS devices since the end of September. This ransomware was dubbed Muhstik based on the.muhstik file extension.

The intruder would then take 0.09 bitcoins to get his files back, or about $700 USD.

Hacks for Victims home

Upon paying a € 670 rescue, Tobias Frömel, a survivor, said that enough was enough and hacked the attacker’s command and control server back.

Frömel told that the database contained web shells that allowed him to access the PHP script for a new victim to generate passwords. Below you can see the relevant portion of the PHP script from the server which produces and inserts a key into the database.

php-scriptEncryption key generation in ransomware server

Frömel told us that he used the same web shell for creating a new PHP file based on the key generator and used it to generate HWIDs special per victim and the 2.858 Muhstik victim decryption keypads stored in the server.

The HWIDs and their corresponding decryption keys were then exchanged with the victims in the Muhstik support and help discussion and the victims in Twitter. This post has a reference to the Pastebin keys and a free Mega decrypter. (Update: See end of article for Emsisoft’s Windows decryptor).

hey guys,
good news for you all, bad news for me cause i paid already... maybe someone
 can give me a tip for my hard work ^^
my wallet: 1JrwK1hpNXHVebByLD2te4E2KzxyMnvhb
i hacked back this criminal and get the whole database with keys, here it
decryption software:
upload to nas:
"chmod +x decrypt"
"sudo ./decrypt YOURDECRYPTIONKEY"
and yeah, i know it was not legal from me too but he used already hacked
 servers with several webshells on it... and im not the bad guy here :D
but its really sad, i lost 670 € to this criminal :'(
battleck aka tobias frömel

Victims have verified that the decrypter works and they can decrypt their files in our help section.

decryptor-runningDecrypting files

BleepingComputer also reported that the keys for victims who in the past asked for help can be found on the Frömel database.

This was a good weekend for ransomware survivors, as the HildaCrypt Ransomware keys were also released on Friday.

Update 10/7/19 5:43 PM EST: Emsisoft has released a decrypter running on Windows to decrypt the Muhstik Ransomware encrypted data.

Using the decrypter, you only have to indicate a ransom note on your device and a decryption key will be downloaded automatically from Emsisoft’s servers and attached to the decrypter.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.