Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Ransomware Gang's Victim Cracks Their Server and Releases All Their Decryption Keys (zdnet.com) 55

Posted by EditorDavid from the attacking-back dept.
"A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all victims," writes ZDNet.

ccnafr shared their report: One of the gang's victims was Tobias Frömel, a German software developer. Frömel was one of the victims who paid the ransom demand so he could regain access to his files. However, after paying the ransom, Frömel also analyzed the ransomware, gained insight into how Muhstik operated, and then retrieved the crooks' database from their server. "I know it was not legal from me," the researcher wrote in a text file he published online on Pastebin earlier Monday, containing 2,858 decryption keys. "I'm not the bad guy here," Frömel added.

Besides releasing the decryption keys, the German developer also published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are avaiable on the Bleeping Computer forum.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter's availability, advising users against paying the ransom.
This discussion has been archived. No new comments can be posted.

Ransomware Gang's Victim Cracks Their Server and Releases All Their Decryption Keys More

Ransomware Gang's Victim Cracks Their Server and Releases All Their Decryption Keys

Comments Filter:

  • Righteous (Score:5, Interesting)

    by robsku ( 1381635 ) <{moc.liamg} {ta} {ekusiadekusbor}> on Saturday October 12, 2019 @02:43PM (#59300102) Homepage

    Good to hear one of these shameful dickwads get bitten back by a real hacker.

    • I’m a bit puzzled how a hacker got hit by this in the first place, though. Why was his NAS exposed to the internet?

      • Who here among us hasn't ever been falsely drawn in by the allure of hot singles in our area?

        While I jest, really all it takes is letting your guard down just enough one time to get caught be some kind of trick. Some years ago I almost got roped into some scam over the phone because I answered the call early in the morning while I was hung over. Even if you're aware of the usual social engineering techniques that are designed to mislead people, it's still easy to fall for them if you're not watching out
      • Honeypot or other agency sting.

        What I would really like to hear is that 2-3 Hellfire missiles cleared the server area and operators...

        • Why waste perfectly good Hellfires on something a few bullet rounds can accomplish?

          It's much more personal that way, too.

          Then again, a bowie knife is even more so.

      • Re:Righteous (Score:5, Insightful)

        by Opportunist ( 166417 ) on Saturday October 12, 2019 @04:57PM (#59300648)

        Your backups are absolutely up to date? And you have 3 generations that ensure you still have a good version of your files, even if you only notice you've been hit by encryption malware after a month or so when you access those files again for the first time?

        And you never clicked on anything by accident?

        • Re:Righteous (Score:5, Insightful)

          by 93 Escort Wagon ( 326346 ) on Saturday October 12, 2019 @05:10PM (#59300712)

          Your backups are absolutely up to date? And you have 3 generations that ensure you still have a good version of your files, even if you only notice you've been hit by encryption malware after a month or so when you access those files again for the first time?

          Actually, yes. In part because I’m old enough to remember when dusk crashes weren’t that uncommon.

          And you never clicked on anything by accident?

          From what I understand of this malware, it doesn’t require any user interaction. The bad guys are scanning for a specific vulnerable type of NAS hardware which has been left exposed to the internet.

          • "Actually, yes. In part because I’m old enough to remember when dusk crashes weren’t that uncommon."

            Where I lived we had a relatively reliable power system, so dusk crashes were quite uncommon. However, spinning mechanical thinks (like disks) do tend to fall apart eventually -- sooner if you enable the System Destroyer (I believe the common euphemism is Power Saving).

            Spinning mechanical equipment usually lasts the longest if you get it up to operating speed and temperature ONCE and then keep it

      • I'm guessing there was a news story he wanted to read and had to turn off ad blocking because it wouldn't even work in private/incognito mode.
      • Comment removed based on user account deletion

  • "I know it was not legal from me"

    This is probably incorrect.

    • Re:Probably incorrect (Score:5, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday October 12, 2019 @03:04PM (#59300172) Homepage Journal

      Unauthorized access is unauthorized access whether you're doing it for good or evil. It's hard to imagine a court prosecuting him for it, though, if he didn't do any damage to their systems while he was there, and didn't charge any money for the data.

      On the other hand, if I were to imagine it happening, Germany is one of the countries I would imagine it happening in. They have a serious hard-on for the law.

      • Who'd convict him for it though? Even if he came out and said he found the guy's identity and sent an assassin to murder the guy in the most gruesome fashion imaginable, I'd still vote "not guilty" at any trial.

        I think most people would be in favor of drone strikes if they were against assholes like this instead of random nobodies in the Middle East.

        • Was really hoping he could resolve the server address to a house that could be staked out by special ops.
          No drone strike as it's probably some shmucks server farm, but worth a small set of eyes looking into it.

        • Re: (Score:2)

          by fazig ( 2909523 )
          While public opinion does play some role in the rulings of German courts, the judiciary system as a whole is inquisitorial. The trier of facts in this system is not a jury of your peers, it's the judge alone.

          The German judiciary system is usually not big on vigilante justice. But in this case I think most judges probably won't convict unless the defense lawyer is and defendant will actively try to get a conviction.

          • Re:Probably incorrect (Score:5, Insightful)

            by Aighearach ( 97333 ) on Saturday October 12, 2019 @06:51PM (#59301086)

            Vigilante justice is where you seek to punish a perpetrator for their actions. That's the "justice" part.

            It does not cover acting to interfere with an ongoing crime in a way that protects the victims.

            I don't know if the specific details make it legal or illegal in Germany in this case, but it was clearly not "Vigilante justice."

            • It is illegal in Germany as is any intrusion into a computer system. Any unauthorized access of hardware is illegal in Germany. White hacking is illegal here.

              It is unclear if state prosecution will act based on this article on its own. Not clear what rules apply for them to have to get active.

            • Re: (Score:2)

              by fazig ( 2909523 )
              You do not get to define what "vigilante justice" is. That's for the German courts to decide (which is my entire point). And my statement only was that the courts don't like vigilante justice.

              You see, the problematic part is the "ongoing crime" and "protects the victims".
              In German law for that to be valid the threat must be immediate to justify the (otherwise unlawful) action. The general idea is that the actions must prevent something happening to yourself or someone else that without the actions would

              • No, the German courts will decide using German. They don't get to decide what English means.

                • Re: (Score:2)

                  by fazig ( 2909523 )
                  Exactly, and there's a definition for the German version of vigilante justice in German law.
                  It's called "Selbstjustiz", which literally translates to self-justice but is more aptly translated in its meaning to vigilante justice, as it is a subset of "Vigilantismus" which translate to vigilantism.
                  And that is something the victim in TFA is thinking about, since he is within the jurisdiction of German law.

                  What made you think that I was talking about English "vigilante justice" while talking about the Germa

      • Re: (Score:1)

        by Anonymous Coward

        Most countries, including Germany, have a public interest test for prosecution.

        It's not clear how that test could ever be passed in this case, it would be impossible to justify that the prosecution of someone who has protected thousands of people from crime is in the public interest.

        You're right it's still technically illegal, but it's indeed the case that it's hard to see how there could realistically be any prosecution over this that wouldn't immediately fail the public interest test.

      • Only certain portions of the law. They're perfectly fine ignoring rapes, attacks on Jews, etc.

      • Most countries have a "self defence" law that allows you to take an action that would otherwise be illegal if you're protecting yourself, or another person, from some sort of crime.

        In any country using the English Common Law system, that would shield them in this sort of case since his actions were proportionate and succeeded in protecting people. If he'd tried to hack it and failed, it would be less clear, because his motives would remain unknown and might have merely been revenge. But since he succeeded,

      • Most such laws have a provision which excludes protection for illegal activity. So if you're using your server for illegal purposes, then the laws against hacking do not protect you. The DMCA is a good example. All those legal prohibitions against breaking encryption meant to protect copyright do not apply if you're generating illegal content (e.g. child porn).

    • It would still be illegal in the US (Score:4, Informative)

      by Ungrounded Lightning ( 62228 ) on Saturday October 12, 2019 @03:52PM (#59300394) Journal

      He's in Germany. As of June 13 it was still illegal in the US. You can track attempts to legalize it by searching for "hack back".

      From CyberScoop [cyberscoop.com]:

      The concept of âoehacking backâ â" which has often been referred to as âoethe worst idea in cybersecurityâ â" has resurfaced again in Washington.

      Rep. Tom Graves, R-Ga., is reintroducing a bill Thursday that would allow companies to go outside of their own networks to identify their attackers and possibly disrupt their activities. While Graves has made previous attempts to legalize the practice, âoehacking backâ would currently be a violation of the Computer Fraud and Abuse Act. The CFAA, enacted in 1986, makes it illegal to access computers without authorization.

      • Re:It would still be illegal in the US (Score:5, Informative)

        by Registered Coward v2 ( 447531 ) on Saturday October 12, 2019 @04:08PM (#59300456)

        He's in Germany. As of June 13 it was still illegal in the US.

        Clearly a case where prosecutorial discretion would be reasonable. Plus I doubt the criminals would come to the US to pursue a case.

      • You forgot to also apply Common-Law considerations. Which is a major fail, because there is a common-law self defence principle.

        "Hacking back" doesn't only encompass defence, it also encompasses merely attacking the attacker to punish them, or to stop them from engaging in future attacks. Self defence doesn't cover continuing to attack somebody after they finished attacking you, so most "hacking back" cases are merely vigilante attacks.

        In this case, he was hacking them to stop the rest of the ongoing attack

    • Depends on the jurisdiction.

      This is, by the way, why such a "crime" needs to be in civil, not criminal, court. In a civil case, the damaged party must actually come forward to demand prosecution.

  • I would expect that there is a lot more information than just the ransom keys (which I applaud Frömel for releasing) on the server that would be important to the owners.

    On second thought, maybe this could be considered "blackmail", but it would be righteous.

  • Shouldn't the government be doing this stuff ... (Score:5, Informative)

    by 2TecTom ( 311314 ) on Saturday October 12, 2019 @03:23PM (#59300232) Homepage Journal

    It's amazing, we spend billions on security, and yet some private citizen has to step up and get the job done? What the f*ck are all these security bureaucrats doing with our time and money? Not to even mention all the resources owned and controlled by all the world's multinational corporations. If just a small percentage was properly directed at the world's real problems, instead of on gratuitous lifestyles, everyone would be a lot better off.

    Our society is most likely doomed, and the clearly the cause is unmitigated greed.

    • In most cases, government sanctioned hacking is still a taboo. It occasionally happens in high stake or military situation but Iâ(TM)m assuming in most cases, they are going to have to jump thru a bunch of hoops to get a warrant first. Retaliatory hacking as a standard first line offense or defense is just something that is currently not done.

    • Maybe it's time to come to terms with the fact that the government can't be a perfect guardian and that it's better to give citizens the ability to sort out their own problems instead of trying to put all of that responsibility into a central authority that can't possibly manage all of it and if it actually could would be capable of such tyranny that it would be utterly horrible.

      Expecting any body composed of imperfect people to be better than the best (or more realistically perhaps the average or even w

  • Why does the NSA exist? (Score:4, Insightful)

    by AndyKron ( 937105 ) on Saturday October 12, 2019 @04:09PM (#59300464)
    How much money does the NSA get? One guy was able to crack it. Why couldn't the NSA with all their resources and billions of dollars?
    • Because dealing with petty criminals is not their job?

      • Because dealing with petty criminals is not their job?

        When ransomware takes down whole hospital systems, public schools, major corporations - it affects national security. Let the full force of NSA investigation be used to identify the perpetrators and use black ops against them in a way that will dissuade anyone else from trying this kind of attack.

        • Their job is not to "protect national security," that is the job of the Department of Homeland Security.

          Their job is to provide signals intelligence to the other parts of the military.

          Using that stuff for law enforcement is one of the horrible mistakes China is making.

        • When ransomware takes down whole hospital systems

          Let me stop you right there. Please show us the evidence that *this* specific randsomeware has affected any of your major targets.

          Secondly, calling it a matter for the NSA just because you applied a leap of logic to get the words "national security" into your scenario doesn't make it the NSA's job. The NSA has a very specific job that is more refined that spelling out a three letter acronym.

          If you wanted a TLA agency to help you maybe you should be asking the Cyber Division of the FBI since this is actually

    • NSA is a military intelligence organization, not a law enforcement organization.

      How much money they get is not disclosed.

  • He did it wrong (Score:1)

    by Anonymous Coward

    He should have ransomed the ransomers to return their ill-gotten gains to their victims.

    Nah, just kidding. You don't fight a crook by becoming a crook. Still, a tip of the hat for what he did do.

  • I would hope that he gave the authorities a lead that could at least give them the chance to track down these cunts and throw them in jail for 50 years or so. Maybe cut off their fingers.
  • Give this guy a Nobel Prize... doesnâ(TM)t matter which one.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close