Great news for Hive ransomware victims – security researchers found a way to decipher its encryption algorithm without using the master key. A group of academics from South Korea’s Kookmin University have shared their curious findings in a detailed report titled “A Method for Decrypting Data Infected with Hive Ransomware”. Apparently, the researchers were able to “recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis.”
Hive Ransomware Encryption Explained
Hive uses a hybrid encryption and its own symmetric cipher to encrypt the victim’s files. The researchers were able to recover the master key that generates the file encryption key without the private key owned by the attackers. This was possible due to a cryptographic flaw they discovered during analysis. As a result of their experience, encrypted files were successfully decrypted using the recovered master key, the report said.
How Did the Researchers Defeat Hive’s Encryption?
“To the best of our knowledge, this is the first successful attempt at decrypting the Hive ransomware,” the academics added.
In an experiment, the researchers demonstrated that more than 95% of the keys used for encryption by Hive could be recovered using the specific method they discovered. First, they discovered how the ransomware generates and stores the master key by generating 10MiB of random data which it uses as a master key.
“For each file to be encrypted, 1MiB and 1KiB of data are extracted from a specific offset of the master key and used as a keystream. The offset used at this time is stored in the encrypted file name of each file. Using the offset of the keystream stored in the filename, it is possible to extract the keystream used for encryption,” the report said.
Furthermore, the ransomware encrypts data by XORing it with a random keystream, unique to each file, but sufficiently easy to guess. Finally, the researchers suggest “a method for decrypting encrypted files without the attacker’s private key.” This is possible because hive doesn’t use all bytes of the master key encrypted with the public one. As a result, more than 95% of the master key used for generating the encryption keystream was recovered, meaning that Most of the infected files could be recovered by using the recovered master key.
More specifically, “the master key recovered 92% succeeded in decrypting approximately 72% of the files, the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files,” according to the report.