Muhstik (QNAP NAS) Ransomware (.muhstik) Support Topic

 

Doing that right now when I saw how not detrimentally expensive it is... their decryptor is running on my qnap at 15-30% CPU utilization. Hard to tell if it's actually working yet. Got over 3tb of data to decrypt. 

just look at a few files, it should work... it worked for me... but i feeling scammed 2 times :'(

 

Screenshot of recourse monitor ( https://imgur.com/a/4gpK8Jq ) Hope imgur links allowed. It maintains 15-40% cpu utilization, switches between uninterruptible and sleeping status.

Nothing promising yet, but I have tons of files and tons of directories. Adobe Lightroom libraries mostly. 

Edited by steve500, 06 October 2019 - 02:07 PM.

 

Doing that right now when I saw how not detrimentally expensive it is... their decryptor is running on my qnap at 15-30% CPU utilization. Hard to tell if it's actually working yet. Got over 3tb of data to decrypt. 

just look at a few files, it should work... it worked for me... but i feeling scammed 2 times :'(

 

To monitor the progress of decryption I built a command to count all the encrypted files with the ".muhstik" ending (e.g. PuTTY):
 

# ls "/share/homes/" -Rcm | grep ".muhstik" | wc -l

Where "/share/homes/" is the path you want to monitor.

If the output is 0 --> congratulations ;)

Edited by yuckfou, 06 October 2019 - 02:16 PM.

Screenshot of recourse monitor ( https://imgur.com/a/4gpK8Jq ) Hope imgur links allowed. It maintains 15-40% cpu utilization, switches between uninterruptible and sleeping status.

 

Nothing promising yet, but I have tons of files and tons of directories. Adobe Lightroom libraries mostly. 

just a question, did you bought the discount 0.02btc decrypter and get your key?

 

 

Doing that right now when I saw how not detrimentally expensive it is... their decryptor is running on my qnap at 15-30% CPU utilization. Hard to tell if it's actually working yet. Got over 3tb of data to decrypt. 

just look at a few files, it should work... it worked for me... but i feeling scammed 2 times :'(

 

 

To monitor the progress of decryption I built a command to count all the encrypted files with the ".muhstik" ending (e.g. PuTTY):
 

# ls "/share/homes/" -Rcm | grep ".muhstik" | wc -l

 

Where "/share/homes/" is the path you want to monitor.

 

If the out put is 0 --> congratulations ;)

 

If the out put is 0 --> congratulations ;)

 

Thank you ! I will give this a shot. 

 

Screenshot of recourse monitor ( https://imgur.com/a/4gpK8Jq ) Hope imgur links allowed. It maintains 15-40% cpu utilization, switches between uninterruptible and sleeping status.

 

Nothing promising yet, but I have tons of files and tons of directories. Adobe Lightroom libraries mostly. 

just a question, did you bought the discount 0.02btc decrypter and get your key?

 

I did, yes. 

Can someone please advise me on what to do in my situation?  I shut my QNAP off while it was in the middle of encrypting files.  Have not restarted it yet.  I don't have a ransom letter to follow, as it never finished infecting my entire files.  Do I need to restart it and allow it to run it's course and infect everything so that I get the ransom letter in order to pay for my decrypter key?  Also, is there a way I can copy my files before doing this, since some of my files were not yet encrypted?  If so, how would I go about this?  Thank you.

wow, it seems the sites are offline? is it still available on tor? have it not installed...

Edited by battleck, 06 October 2019 - 10:36 PM.

wow, it seems the sites are offline? is it still available on tor? have it not installed...

The Tor sites are still up

wow, it seems the sites are offline? is it still available on tor? have it not installed...

Probably someone downloaded it manually? I think the decrypter never has been online on the tor sites...

Edited by yuckfou, 07 October 2019 - 01:50 AM.

 

wow, it seems the sites are offline? is it still available on tor? have it not installed...

 

Probably someone downloaded it manually? I think the decrypter never has been online on the tor sites...

 

I have the decrypter downloaded. I used simple unix command at /root shell command to move it somewhere easier to access with filestation to then download it. 

cp decrypt /share/homes/username/folder

This copied the decrypter currently running on mine. If you pay them and receive your key, you can place that file on your nas and execute it the same way they instruct you to as it should be the same decrypter tool.

https://send.firefox.com/download/c43c401c638ec54a/#smMY39cSduOpB8dl7T59sw

Edited by battleck, 07 October 2019 - 02:22 AM.

TOP battleck!!!

So what is the correct procedure to make the tool work??

TOP battleck!!!

 

So what is the correct procedure to make the tool work??

your nas should not connected to web, so download the file "decrypt" from mega.nz, then put it on a usb stick, put that stick in your nas, copy it to any folder you like, make "chmod +x decrypt" as executable and then search in the list for your id and use the decryption key behind like above said with "sudo ./decrypt YOURDECRYPTIONKEY"

Thank's!!!
 

How can I see if there is still malware in my QNAP?

Thank's!!!
 

How can I see if there is still malware in my QNAP?

you should take a backup before decryption... and then after... then clean your nas with formatting the hardrives and make dom recovery, please google ;)

 

hey guys,

good news for you all, bad news for me cause i paid already... maybe someone can give me a tip for my hard work ^^

my wallet: 1JrwK1hpNXHVebByLD2te4E2KzxyMnvhb

 

i hacked back this criminal and get the whole database with keys, here it is:

https://pastebin.com/N8ahWBni

 

decryption software:

https://mega.nz/#!O9Jg3QYZ!5Gj8VrBXl4ebp_MaPDPE7JpzqdUaeUa5m9kL5fEmkVs

 

manual:

upload to nas:

"chmod +x decrypt"

"sudo ./decrypt YOURDECRYPTIONKEY"

 

and yeah, i know it was not legal from me too but he used already hacked servers with several webshells on it... and im not the bad guy here :D

 

but its really sad, i lost 670 € to this criminal :'(

 

cheers

battleck aka tobias frömel

 

 

Super gemacht  

Well done!!

I can confirm: my ID and the private key match.