The Muhstik ransomware is a relatively new ransomware, the activity of which experts have been observing since the end of September 2019. This ransomware is designed to attack the Taiwanese manufacturer QNAP's NAS, and according to company post, ransomware operators brute force QNAP NAS with weak passwords for built-in phpMyAdmin.
After gaining access to the phpMyAdmin installation, Muhstik operators encrypt user files and save a copy of decryption keys on their management server. Files encrypted by Muhstik can be recognized by the new extension .muhstik. Extortionists demand 0.09 bitcoins (approximately $ 700) for decrypting data.
It just so happened that one of the victims of the ransomware was a German developer Tobias Fremel (Tobias Frömel). He paid the ransom to the attackers and managed to recover the damaged data, but did not calm down on this. Having studied the work of the cryptographer, the researcher eventually retrieved the database from the criminals server. At Pastebin Expert writesthat he understands – it was illegal, but he is not the "bad guy" here. Also included in this message are 2858 keys for decrypting data.
At the same time, Fremel did not limit himself to the simple publication of keys. He also released a decryption tool for affected information, available for download via MEGA. Detailed instructions for its use can be found at Bleeping Computer Forum.
Currently, the expert notifies Muhstik victims of the decryptor’s availability via Twitter, and advises users not to pay the ransom.
In addition, based on Fremel’s data, experts already Emsisoft released their own decoder for Windows, which can also be used to decrypt files affected by Muhstik.