Threat Management, Malware, Ransomware

Decryptors developed for new Muhstik, HildaCrypt ransomwares

Decryptors are now publicly available for a pair of ransomware programs that recently emerged onto the scene. One is the result of a victim hacking back, while the other stems from the developer's decision to release the master private decryption keys.

The first case involves a ransomware called Muhstik that's been using AES-256 to maliciously encrypt files on publicly exposed QNAP network-attached storage devices since late September. The typical extortion damage in such instances has been 0.09 bitcoins, which as of Oct. 8 is equivalent to nearly $750.

According to a report yesterday from BleepingComputer, Muhstik Tobias Frömel  got revenge on his attackers by hacking back and accessing their command-and-control sever. This server reportedly contained web shells that enabled Frömel access the PHP that generates passwords for victims. Frömel then created his own new PHP file to generate hardware ID numbers and decryption keys for 2,858 Muhstik victims, and then posted the keys and a free decryptor online.

Anti-malware company Emsisoft would later release its own decryption tool. "He [Frömel] released the keys online" along with "the decryption tool he had paid for," said company spokesperson Brett Callow. But that "didn’t work for victims with ARM-based QNAPs, so we released a tool that works universally."

Emsisoft yesterday also released a new decryption tool for a separate ransomware strain called HildaCrypt, which the developer claimed was created for fun and for educational reasons. (The company also just updated its decryptor for Aurora ransomware.)

BleepingComputer reported on Oct. 5 that a researcher had discovered a the ransomware program and initially thought it was a STOP variant. However, the developer would later contact the researcher and clarify that it was actually a new family called HildaCrypt, which can encrypt files using AES-256 and RSA-2048.

At that point the developer released the master private decryption keys, from which a decryptor was derived. The developer reportedly told BleepingComputer that the ransomware was never used on anyone. "There're four variants and the dev handed over keys for all of 'em," Callow told SC Media.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.