Tobias Frömel was a victim of the Muhstik Ransomware, who paid $735 USD for a decryption key after his NAS device was infected by the malware. With no backups and no known decryption keys that would work for him, Frömel found himself frustrated that he put himself into this position. After he paid the ransom, he did not just sit back and try to better protect himself from the next attack, he took action. Frömel analyzed the malware that was on his device after he paid the ransom, determined how it worked and went after the attacker who hacked him. By “hacking back” against the attacker, Frömel managed to breach the database that the attacker used to store the decryption keys and steal them. Frömel then posted them to Pastebin for anyone to find and use if they have been attacked. Going one step further, Frömel, who goes by “battleck” on Twitter, made it his mission to seek out those attacked by the ransomware and share with them that the keys were now posted publicly. Frömel admitted that he knew what he did was illegal and should not be done by others.
Analyst Notes
Hacking back should never be done and is just as illegal as the original attack that prompted the response. The responder faces the same penalty as the threat actor and because they are doing it out of spite, they are more likely to make a mistake allowing anyone to trace the attack back to them. The easiest way to combat ransomware is to keep a backup of all documents and files kept on the device in a separate offline location that cannot be affected in case of a breach. Security monitoring and response can also help reduce this threat. Binary Defense monitoring through Vision has had a high success rate in stopping ransomware attacks, once detected, from moving through an entire company–greatly reducing the number of infected devices from an attack.
