Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data

A group of academic researchers has found a way to exploit a security flaw in the encryption algorithm used by the Hive ransomware to recover hijacked and encrypted data.

A group of academic researchers has found a way to exploit a security flaw in the encryption algorithm used by the Hive ransomware to recover hijacked and encrypted data.

In a research paper published last week, academics from the Kookmin University of Seoul documented how a vulnerability in Hive’s encryption allowed them to recover the master key and restore data without having the attacker’s RSA private key.

Hive uses a hybrid encryption scheme and relies on its own symmetric cipher for file encryption, and the researchers were able to identify the manner in which the ransomware creates and stores the master key used for encryption.

[ READ: FBI Shares IOCs for ‘Hive’ Ransomware Attacks ]

“Hive ransomware generates 10MiB of random data, and uses it as a master key. For each file to be encrypted, 1MiB and 1KiB of data are extracted from a specific offset of the master key and used as a keystream. The offset used at this time is stored in the encrypted file name of each file. Using the offset of the keystream stored in the filename, it is possible to extract the keystream used for encryption,” the researchers note.

While a different keystream is used to encrypt each file, the academics discovered they could guess the random keystream and devised a method that allowed them to recover more than 95 percent of the master key used for keystream generation.

For their experiments, the researchers infected several Windows systems with Hive, took memory snapshots before the encryption process was completed – to retrieve the randomly generated master key that is destroyed at the end of the encryption – and then proceeded to collect as many data encryption keystreams as possible to then restore the master key.

[ NEWS ANALYSIS: Law Enforcement Ops, Cyber Insurance Helping Fight Against Ransomware ]

The fact that Hive encrypts files and folders in the Program Files directory helped the researchers in their endeavor, as they could compare the encrypted files with their original counterparts that were downloaded from the Internet.

The academics say they registered a 95.85 percent success rate in recovering the master key and believe that this method can significantly reduce the damage caused by Hive ransomware infections to all types of victims, including organizations.

“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware,” the academics added.

Initially observed in June 2021, Hive is offered on an affiliate-based model, employing a wide range of tactics, techniques, and procedures (TTPs) and exfiltrating data of interest to leverage it for extortion purposes.

In an alert in August last year, the FBI noted that Hive also stops processes of backup, cybersecurity, and file copying applications, so as to be able to encrypt all of the targeted files. The ransomware also targets Program Files directories for encryption.

Related: Ransomware Gang Threatens Leak of Supernus Pharmaceuticals Data

Related: Free Decryption Tools for Babuk, AtomSilo and LockFile Ransomware

Related: Free Decryptor Released for BlackByte Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.