Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data
A group of academic researchers has found a way to exploit a security flaw in the encryption algorithm used by the Hive ransomware to recover hijacked and encrypted data.
In a research paper published last week, academics from the Kookmin University of Seoul documented how a vulnerability in Hive’s encryption allowed them to recover the master key and restore data without having the attacker’s RSA private key.
Hive uses a hybrid encryption scheme and relies on its own symmetric cipher for file encryption, and the researchers were able to identify the manner in which the ransomware creates and stores the master key used for encryption.
“Hive ransomware generates 10MiB of random data, and uses it as a master key. For each file to be encrypted, 1MiB and 1KiB of data are extracted from a specific offset of the master key and used as a keystream. The offset used at this time is stored in the encrypted file name of each file. Using the offset of the keystream stored in the filename, it is possible to extract the keystream used for encryption,” the researchers note.
While a different keystream is used to encrypt each file, the academics discovered they could guess the random keystream and devised a method that allowed them to recover more than 95 percent of the master key used for keystream generation.
For their experiments, the researchers infected several Windows systems with Hive, took memory snapshots before the encryption process was completed – to retrieve the randomly generated master key that is destroyed at the end of the encryption – and then proceeded to collect as many data encryption keystreams as possible to then restore the master key.
[ NEWS ANALYSIS: Law Enforcement Ops, Cyber Insurance Helping Fight Against Ransomware ]
The fact that Hive encrypts files and folders in the Program Files directory helped the researchers in their endeavor, as they could compare the encrypted files with their original counterparts that were downloaded from the Internet.
The academics say they registered a 95.85 percent success rate in recovering the master key and believe that this method can significantly reduce the damage caused by Hive ransomware infections to all types of victims, including organizations.
“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware,” the academics added.
Initially observed in June 2021, Hive is offered on an affiliate-based model, employing a wide range of tactics, techniques, and procedures (TTPs) and exfiltrating data of interest to leverage it for extortion purposes.
In an alert in August last year, the FBI noted that Hive also stops processes of backup, cybersecurity, and file copying applications, so as to be able to encrypt all of the targeted files. The ransomware also targets Program Files directories for encryption.