Muhstik Ransomware: A Hack-Back Story

Since 2010 users have been plagued by nearly uncountable versions of a seemingly uncountable variety of ransomware variants. While tactics have changed, including infection vectors, the goal of ransomware has remained the same: Namely, to render a machine unusable to the victim that they feel obliged to pay the ransom demanded. In the past this was done by locking victims out of the device; these fell under the umbrella of locker ransomware. Then ransomware began to encrypt certain file extensions, called crypto-ransomware, which posed a very different problem to victims, as decrypting files without sufficient know-how is practically impossible.

Recently ransomware operators have adopted big game hunting tactics when deploying ransomware. By attacking large organizations including colleges, hospitals, police departments and other government departments, hackers can effectively shut down operations by encrypting vital files needed to operate. This is done so that larger ransoms can be demanded, but not larger than the costs associated with not paying, including losses associated with downtime. For operators deploying STOP and Ryuk variants, this tactic has seen mass adoption, helping make those variants the most commonly seen by researchers today.

While some have decided to catch bigger fish, other ransomware operators still seem content to target smaller businesses and private users. In these cases a vastly smaller number is demanded in ransom—it could be anything from $500 to $700 USD in Bitcoin, for example—but the number demanded would still seem reasonable to those about to lose a lifetime of memories or a small business having to close its doors briefly. One such ransomware used for this purpose is Muhstik.

Muhstik Ransomware

Muhstik, called that because it appends the extension .muhstik to encrypted files, is a later variant of QNAPCrypt. The latter ransomware was a unique discovery as QNAPCrypt exclusively targeted Linux based file-storage systems. QNAPCrypt targeted network-attached storage (NAS) servers—in particular, those manufactured by QNAP. Hence, the ransomware’s name. Researchers spotted the ransomware in 15 separate campaigns with analysis revealing it was an ARM variant of the ransomware formula. ARM variants encrypt all files found on the server rather than searching for and encrypting only certain extensions, such as .doc or .jpeg.

Ransomware that targets Linux machines is rare, doubly so for ones that look to encrypt all files on the storage device. Despite the novelty of QNAPCrypt, it was still flawed, as it created a list of Bitcoin wallet address in advance rather than in real-time when an infection occurs. This meant that based on its programming, the ransomware could infect only a finite number of victims. Once all the wallets were allocated, the ransomware ceased infection attempts. This allowed security researchers to conduct a denial-of-service attack on the hacker’s assets. Further flaws, including the lack of authentication procedures implemented on the SOCKS5 connection proxy, were discovered by researchers.

The malware’s developers then began releasing a slew of newer versions, including one that looks to infect servers via brute force attacks. If the server was found to have a weak or default password, it was easy pickings for the ransomware. This serves as a good reminder of why it is important to have strong passwords implemented as a matter of course.

Muhstik adopts much of the same code and tactics from QNAPCrypt. Discovered by security researcher Amigo-A, Muhstik also targets QNAP NAS devices as well as Windows machines, and uses strong encryption algorithms. In late September, reports emerged of Muhstik, with people turning to Reddit for help after falling victim to the ransomware. Much like with QNAPCrypt, Muhstik was spread through a brute force attack, leveraging weak and default passwords to gain access to the device. Such attacks do not use any intellectual or social engineering tactics to compromise a system and allow access for the attacker. Simply put, the attack submits thousands of passwords and passphrases hoping one of them will be the lucky one. The hacker doesn’t do this manually, in most cases, but relies on a tool that automates the process to conduct the attack.

Screenshot of Muhstik ransom demanding message:

Muhstik ransomware ransom demanding message

In the case of Muhstik, it was revealed that the ransomware was targeting QNAP NAS devices that were running phpMyAdmin and were exposed online. The phpMyAdmin tool is an incredibly popular web hosting tool used to handle administrative MySQL requests. By simply having strong passwords for the NAS devices, users greatly decrease their risk of infection by Muhstik.

This distribution method, namely searching for the exposed device then attempting to brute force their way in, is not the most common among ransomware operators. Rather, spam email campaigns and other social engineering tactics seemed to be the more popular way of attempting to infect a user. That said, Muhstik and two other new ransomware variants were seen being distributed this way in September alone.

The ransoms demanded by those behind the Muhstik campaigns have ranged from 0.09 Bitcoin to 0.18. After 48 hours, the hacker often will demand double the amount. At the time of writing, 0.36 Bitcoin was approximately $2,800 USD. Like with the vast majority of ransomware variants, the victim is presented with a ransom note complete with payment instructions. It is advised victims don’t pay the ransom for a variety of reasons. First, there is no guarantee that the hacker is even equipped to decrypt the encrypted data. Second, paying the ransom funds criminal activities including international terrorism or the activities of embargoed countries, which breaks U.S. law.

Victim Hacks Back

A hot topic among security researchers, lawyers, policymakers and tech-savvy dinner tables is the morality of hacking back when you fall victim to scam or malware campaign. The morality and legality of such actions are far beyond the scope of this article. However, the actions of one victim deserve special mention. Toward the end of September, an attacker began a campaign targeting publicly exposed QNAP NAS devices and encrypting the files on them. The hacker used Muhstik to do this and demanded 0.09 Bitcoin to decrypt the data. At the time, this was approximately $700 USD.

One victim, Tobias Frömel, paid the ransom of $670 USD, which was obviously the last straw for him and decided to hack the attacker’s command and control server. Frömel revealed to the press that the servers used by the attacker contained web shells that allowed him access to the PHP script, which would generate new passwords for new victims. Frömel noticed that the script when executed would create a new password, then store it on a database to be accessed later once the victim had paid the ransom. Armed with this information, Frömel was able to create a new script that allowed for the extraction of the decryption keys.

Frömel was able to generate a list of 2,585 decryption keys that victims could use to decrypt encrypted files without having to pay a ransom. All the keys were published to a popular forum dealing solely with the Muhstik ransomware, as well as Pastebin. Frömel also created a decryptor, which he made publically available and uploaded to Mega. Several victims have come forward to say that the decryption keys do indeed work.

Other security researchers have also worked on releasing a decryptor for Windows machines. The release of a free decryptor was also followed by comprehensive instructions on how to install and successfully decrypt encrypted files with the .muhstik extension.

If applying the letter of the law to Frömel, his actions are indeed unlawful. However, it is unlikely that he will face charges and be prosecuted, as his actions potentially helped thousands of other people recover encrypted data. When debating the issues surrounding hacking back, a pragmatic view has emerged suggesting security researchers work with law enforcement when and if need to hack back arises. A good example of this occurred when researchers worked with French police to bring down the Retaup botnet. Working together, the police and researchers managed to gain access to the botnet’s infrastructure. After gaining access, the researchers instructed the malware to delete itself from infected machines. In all, 850,000 Windows machines were purged of the malware, with the users not having to lift a finger. Further, because of the work done, other researchers were able to positively identify the operator of the botnet and hand over the information to law enforcement officials.

This is in all likelihood not the last the InfoSec community will hear of Muhstik. Tactics and code will be modified and new variants boasting new features will be released into the wild. This is the very nature of the current cyberthreat landscape. This does not mean there are no ways to prevent ransomware attacks. In many ways, the prevention of ransomware attacks is best done simply by adopting best practices in preventing most other malware infections.

Preventing Ransomware Infections

In the case of both Muhstik and QNAPCrypt, having strong passwords would have been a sufficient defense against infection. Having strong passwords for not only NAS servers but for all accounts is an important step every user can take to help prevent malware infections.

As discussed above not all ransomware is dependent on a brute force attack for compromising and infecting target devices. It is advised that you do not click on suspicious links or attachments and always keep software updated respectively. This is common advice and good advice for preventing malware infections of all types.

With regards to ransomware, in particular, it is often not possible to find decryptors, especially when the variant is new on the scene. Users should make regular backups so, if infected, the user can restore encrypted files with the ones backed up from an earlier date. When all the measures listed above are combined along with a reputable anti-virus package, users can prevent ransomware from robbing them of all their important data.

Tomas Meskauskas

Avatar photo

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas