Free Muhstik, HildaCrypt, and Nempty Ransomware Decryptors Released

Over the past few days, free decryptors have been released for three ransomware variants – Muhstik, HildaCrypt, and Nempty Ransomware. The decryptors will allow victims of these ransomware variants to recover their files without paying a ransom.

Free Decryptor for Nemty Ransomware

Researchers at cybersecurity firm Tesorian have developed a free decryptor for Nemty ransomware which works on versions 1.4 and 1.6 of the ransomware. A free decryptor for version 1.5 will also soon be released. Currently the decryptor only works for certain file types, although more are being added on a daily basis.

Rather than supplying the decryptor, it remains on Tesorian servers where the decryption key generation process occurs. This approach was taken to prevent the ransomware developers from analyzing the decryptor and discovering the flaws in their encryption program that enabled the decryptor to be developed. The decryptor can be obtained by contacting Tesorian.

Free Decryptor for HildaCrypt Ransomware

The private decryption keys for HildaCrypt ransomware have been released by the developer.

Security researcher GrujaRS identified a new ransomware variant which was believed to be a new form of STOP ransomware. After posting the discovery on Twitter, the developer, J0hanna, made contact and advised him that the ransomware had been misidentified and that it was actually a HildaCrypt variant. The developer then provided the master keys which allow any victims to recover their files free of charge.

GrujaRS provided the master keys to ransomware researcher Michael Gillespie, who developed a decryptor, which can be found here.

It would appear that this threat was not created with the aim of extorting money, instead it appears to have been developed as an educational project. According to Bleeping Computer, the ransomware has not been used on anyone, but it is possible that the binaries may be obtained and used in real-world attacks.

Muhstik Ransomware Decryption Keys

A threat actor has been conducting attacks on publicly exposed QNAP NAS devices since the end of September and deploying Muhstik ransomware. A ransom of 0.09 BTC is demanded – approximately $700 – for the keys to unlock the encryption. These ransomware attacks can be identified by the extension muhstik on encrypted files.

A victim of Muhstik ransomware – Tobias Frömel – decided to get revenge against the attacker following a successful attack in which a ransom of €670 was paid. Frömel hacked the attacker’s C2 server via web shells and accessed the PHP script that generates passwords for ransomware victims. He created a new PHP file based on the original key generator, obtained the victim specific HWIDs, and the decryption keys for 2,858 victims of the ransomware. The keys can be obtained on Pastebin, and New Zealand cybersecurity firm Emsisoft has also now released a free decryptor for Muhstik ransomware.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of