Decryptors developed for new Muhstik and HildaCrypt ransomwares

Decryptors are now publicly available for a pair of ransomware programs that recently emerged onto the scene. One is the result of a victim hacking back, while the other stems from the developer’s decision to release the master private decryption keys.

The first case involves a ransomware called Muhstik that’s been using AES-256 to maliciously encrypt files on publicly exposed QNAP network-attached storage devices since late September. The typical extortion damage in such instances has been 0.09 bitcoins, which as of Oct. 8 is equivalent to nearly $750.

According to a report yesterday from BleepingComputer, Muhstik Tobias Frömel  got revenge on his attackers by hacking back and accessing their command-and-control sever. This server reportedly contained web shells that enabled Frömel access the PHP that generates passwords for victims. Frömel then created his own new PHP file to generate hardware ID numbers and decryption keys for 2,858 Muhstik victims, and then posted the keys and a free decryptor online.

Anti-malware company Emsisoft would later release its own decryption tool. “He [Frömel] released the keys online” along with “the decryption tool he had paid for,” said company spokesperson Brett Callow. But that “didn’t work for victims with ARM-based QNAPs, so we released a tool that works universally.”

Emsisoft yesterday also released a new decryption tool for a separate ransomware strain called HildaCrypt, which the developer claimed was created for fun and for educational reasons. (The company also just updated its decryptor for Aurora ransomware.)

BleepingComputer reported on Oct. 5 that a researcher had discovered a the ransomware program and initially thought it was a STOP variant. However, the developer would later contact the researcher and clarify that it was actually a new family called HildaCrypt, which can encrypt files using AES-256 and RSA-2048.

At that point the developer released the master private decryption keys, from which a decryptor was derived. The developer reportedly told BleepingComputer that the ransomware was never used on anyone. “There’re four variants and the dev handed over keys for all of ’em,” Callow told DigitalMunition.