Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data

A group of academic researchers has found a way to exploit a security flaw in the encryption algorithm used by the Hive ransomware to recover hijacked and encrypted data.

A group of academic researchers has found a way to exploit a security flaw in the encryption algorithm used by the Hive ransomware to recover hijacked and encrypted data.

In a research paper published last week, academics from the Kookmin University of Seoul documented how a vulnerability in Hive’s encryption allowed them to recover the master key and restore data without having the attacker’s RSA private key.

Hive uses a hybrid encryption scheme and relies on its own symmetric cipher for file encryption, and the researchers were able to identify the manner in which the ransomware creates and stores the master key used for encryption.

[ READ: FBI Shares IOCs for ‘Hive’ Ransomware Attacks ]

“Hive ransomware generates 10MiB of random data, and uses it as a master key. For each file to be encrypted, 1MiB and 1KiB of data are extracted from a specific offset of the master key and used as a keystream. The offset used at this time is stored in the encrypted file name of each file. Using the offset of the keystream stored in the filename, it is possible to extract the keystream used for encryption,” the researchers note.

While a different keystream is used to encrypt each file, the academics discovered they could guess the random keystream and devised a method that allowed them to recover more than 95 percent of the master key used for keystream generation.

For their experiments, the researchers infected several Windows systems with Hive, took memory snapshots before the encryption process was completed – to retrieve the randomly generated master key that is destroyed at the end of the encryption – and then proceeded to collect as many data encryption keystreams as possible to then restore the master key.

[ NEWS ANALYSIS: Law Enforcement Ops, Cyber Insurance Helping Fight Against Ransomware ]

Advertisement. Scroll to continue reading.

The fact that Hive encrypts files and folders in the Program Files directory helped the researchers in their endeavor, as they could compare the encrypted files with their original counterparts that were downloaded from the Internet.

The academics say they registered a 95.85 percent success rate in recovering the master key and believe that this method can significantly reduce the damage caused by Hive ransomware infections to all types of victims, including organizations.

“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware,” the academics added.

Initially observed in June 2021, Hive is offered on an affiliate-based model, employing a wide range of tactics, techniques, and procedures (TTPs) and exfiltrating data of interest to leverage it for extortion purposes.

In an alert in August last year, the FBI noted that Hive also stops processes of backup, cybersecurity, and file copying applications, so as to be able to encrypt all of the targeted files. The ransomware also targets Program Files directories for encryption.

Related: Ransomware Gang Threatens Leak of Supernus Pharmaceuticals Data

Related: Free Decryption Tools for Babuk, AtomSilo and LockFile Ransomware

Related: Free Decryptor Released for BlackByte Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.