Ransomware Gang's Victim Cracks Their Server and Releases All Their Decryption Keys (zdnet.com) 55
"A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all victims," writes ZDNet.
ccnafr shared their report: One of the gang's victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files. However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks' database from their server. "I know it was not legal from me," the researcher wrote in a text file he published online on Pastebin earlier Monday, containing 2,858 decryption keys. "I'm not the bad guy here," Frömel added.
Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter's availability, advising users against paying the ransom.
ccnafr shared their report: One of the gang's victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files. However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks' database from their server. "I know it was not legal from me," the researcher wrote in a text file he published online on Pastebin earlier Monday, containing 2,858 decryption keys. "I'm not the bad guy here," Frömel added.
Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.
In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter's availability, advising users against paying the ransom.
Righteous (Score:5, Interesting)
Good to hear one of these shameful dickwads get bitten back by a real hacker.
Re: (Score:2)
I’m a bit puzzled how a hacker got hit by this in the first place, though. Why was his NAS exposed to the internet?
Re: (Score:3)
While I jest, really all it takes is letting your guard down just enough one time to get caught be some kind of trick. Some years ago I almost got roped into some scam over the phone because I answered the call early in the morning while I was hung over. Even if you're aware of the usual social engineering techniques that are designed to mislead people, it's still easy to fall for them if you're not watching out
Why would you *ever* let anyone touch your data (Score:2)
You don't let random strangers shove their fist up your asshole because you're hung over, do you?
Rule #1: if you didn't ask for it, it's probably bad. So don't open it!
Re: (Score:1)
Re: (Score:1)
more Righteous (Score:2)
What I would really like to hear is that 2-3 Hellfire missiles cleared the server area and operators...
Re: (Score:2)
Why waste perfectly good Hellfires on something a few bullet rounds can accomplish?
It's much more personal that way, too.
Then again, a bowie knife is even more so.
Re:Righteous (Score:5, Insightful)
Your backups are absolutely up to date? And you have 3 generations that ensure you still have a good version of your files, even if you only notice you've been hit by encryption malware after a month or so when you access those files again for the first time?
And you never clicked on anything by accident?
Re:Righteous (Score:5, Insightful)
Your backups are absolutely up to date? And you have 3 generations that ensure you still have a good version of your files, even if you only notice you've been hit by encryption malware after a month or so when you access those files again for the first time?
Actually, yes. In part because I’m old enough to remember when dusk crashes weren’t that uncommon.
And you never clicked on anything by accident?
From what I understand of this malware, it doesn’t require any user interaction. The bad guys are scanning for a specific vulnerable type of NAS hardware which has been left exposed to the internet.
Re: (Score:2)
"Actually, yes. In part because I’m old enough to remember when dusk crashes weren’t that uncommon."
Where I lived we had a relatively reliable power system, so dusk crashes were quite uncommon. However, spinning mechanical thinks (like disks) do tend to fall apart eventually -- sooner if you enable the System Destroyer (I believe the common euphemism is Power Saving).
Spinning mechanical equipment usually lasts the longest if you get it up to operating speed and temperature ONCE and then keep it
Re: (Score:2)
Each thermal cycle cuts the lifetime in half.
Do you actually believe your own bullshit?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Then VPN into your home network and then access the resources you need.
Probably incorrect (Score:2)
"I know it was not legal from me"
This is probably incorrect.
Re:Probably incorrect (Score:5, Interesting)
Unauthorized access is unauthorized access whether you're doing it for good or evil. It's hard to imagine a court prosecuting him for it, though, if he didn't do any damage to their systems while he was there, and didn't charge any money for the data.
On the other hand, if I were to imagine it happening, Germany is one of the countries I would imagine it happening in. They have a serious hard-on for the law.
Re: (Score:3)
I think most people would be in favor of drone strikes if they were against assholes like this instead of random nobodies in the Middle East.
Re: Probably incorrect (Score:2)
Was really hoping he could resolve the server address to a house that could be staked out by special ops.
No drone strike as it's probably some shmucks server farm, but worth a small set of eyes looking into it.
Re: (Score:2)
The German judiciary system is usually not big on vigilante justice. But in this case I think most judges probably won't convict unless the defense lawyer is and defendant will actively try to get a conviction.
Re:Probably incorrect (Score:5, Insightful)
Vigilante justice is where you seek to punish a perpetrator for their actions. That's the "justice" part.
It does not cover acting to interfere with an ongoing crime in a way that protects the victims.
I don't know if the specific details make it legal or illegal in Germany in this case, but it was clearly not "Vigilante justice."
Re: Probably incorrect (Score:2)
It is illegal in Germany as is any intrusion into a computer system. Any unauthorized access of hardware is illegal in Germany. White hacking is illegal here.
It is unclear if state prosecution will act based on this article on its own. Not clear what rules apply for them to have to get active.
Re: (Score:2)
You see, the problematic part is the "ongoing crime" and "protects the victims".
In German law for that to be valid the threat must be immediate to justify the (otherwise unlawful) action. The general idea is that the actions must prevent something happening to yourself or someone else that without the actions would
Re: (Score:2)
No, the German courts will decide using German. They don't get to decide what English means.
Re: (Score:2)
It's called "Selbstjustiz", which literally translates to self-justice but is more aptly translated in its meaning to vigilante justice, as it is a subset of "Vigilantismus" which translate to vigilantism.
And that is something the victim in TFA is thinking about, since he is within the jurisdiction of German law.
What made you think that I was talking about English "vigilante justice" while talking about the Germa
Re: (Score:1)
Most countries, including Germany, have a public interest test for prosecution.
It's not clear how that test could ever be passed in this case, it would be impossible to justify that the prosecution of someone who has protected thousands of people from crime is in the public interest.
You're right it's still technically illegal, but it's indeed the case that it's hard to see how there could realistically be any prosecution over this that wouldn't immediately fail the public interest test.
Re: (Score:3)
Re: (Score:3)
Most countries have a "self defence" law that allows you to take an action that would otherwise be illegal if you're protecting yourself, or another person, from some sort of crime.
In any country using the English Common Law system, that would shield them in this sort of case since his actions were proportionate and succeeded in protecting people. If he'd tried to hack it and failed, it would be less clear, because his motives would remain unknown and might have merely been revenge. But since he succeeded,
Re: (Score:2)
It would still be illegal in the US (Score:4, Informative)
He's in Germany. As of June 13 it was still illegal in the US. You can track attempts to legalize it by searching for "hack back".
From CyberScoop [cyberscoop.com]:
Re:It would still be illegal in the US (Score:5, Informative)
He's in Germany. As of June 13 it was still illegal in the US.
Clearly a case where prosecutorial discretion would be reasonable. Plus I doubt the criminals would come to the US to pursue a case.
Re: (Score:3)
You forgot to also apply Common-Law considerations. Which is a major fail, because there is a common-law self defence principle.
"Hacking back" doesn't only encompass defence, it also encompasses merely attacking the attacker to punish them, or to stop them from engaging in future attacks. Self defence doesn't cover continuing to attack somebody after they finished attacking you, so most "hacking back" cases are merely vigilante attacks.
In this case, he was hacking them to stop the rest of the ongoing attack
Re: (Score:3)
Depends on the jurisdiction.
This is, by the way, why such a "crime" needs to be in civil, not criminal, court. In a civil case, the damaged party must actually come forward to demand prosecution.
More appropriate if he held the Server for Ransom (Score:2)
I would expect that there is a lot more information than just the ransom keys (which I applaud Frömel for releasing) on the server that would be important to the owners.
On second thought, maybe this could be considered "blackmail", but it would be righteous.
Re: (Score:2)
"I have your keys Please drop, say, 3000 bitcoins to the account mentioned below or they go on pastebin"
Something like that?
Re: (Score:2)
Works for me.
Shouldn't the government be doing this stuff ... (Score:5, Informative)
It's amazing, we spend billions on security, and yet some private citizen has to step up and get the job done? What the f*ck are all these security bureaucrats doing with our time and money? Not to even mention all the resources owned and controlled by all the world's multinational corporations. If just a small percentage was properly directed at the world's real problems, instead of on gratuitous lifestyles, everyone would be a lot better off.
Our society is most likely doomed, and the clearly the cause is unmitigated greed.
Re: Shouldn't the government be doing this stuff . (Score:2)
In most cases, government sanctioned hacking is still a taboo. It occasionally happens in high stake or military situation but Iâ(TM)m assuming in most cases, they are going to have to jump thru a bunch of hoops to get a warrant first. Retaliatory hacking as a standard first line offense or defense is just something that is currently not done.
Re: (Score:2)
Expecting any body composed of imperfect people to be better than the best (or more realistically perhaps the average or even w
Why does the NSA exist? (Score:4, Insightful)
Re: Why does the NSA exist? (Score:2)
Re: (Score:3)
Because dealing with petty criminals is not their job?
When ransomware takes down whole hospital systems, public schools, major corporations - it affects national security. Let the full force of NSA investigation be used to identify the perpetrators and use black ops against them in a way that will dissuade anyone else from trying this kind of attack.
Re: (Score:3)
Their job is not to "protect national security," that is the job of the Department of Homeland Security.
Their job is to provide signals intelligence to the other parts of the military.
Using that stuff for law enforcement is one of the horrible mistakes China is making.
Re: (Score:2)
When ransomware takes down whole hospital systems
Let me stop you right there. Please show us the evidence that *this* specific randsomeware has affected any of your major targets.
Secondly, calling it a matter for the NSA just because you applied a leap of logic to get the words "national security" into your scenario doesn't make it the NSA's job. The NSA has a very specific job that is more refined that spelling out a three letter acronym.
If you wanted a TLA agency to help you maybe you should be asking the Cyber Division of the FBI since this is actually
Re: (Score:2)
NSA is a military intelligence organization, not a law enforcement organization.
How much money they get is not disclosed.
He did it wrong (Score:1)
He should have ransomed the ransomers to return their ill-gotten gains to their victims.
Nah, just kidding. You don't fight a crook by becoming a crook. Still, a tip of the hat for what he did do.
Did he notify the authorities (Score:2)
Give this guy a Nobel Prize... doesnâ(TM)t ma (Score:1)
Re: LOCK HIS ASS UP (Score:2)
Gulag FTW!