The Hive Ransomware’s master key retrieved by exploiting a flaw in the malware’s encryption algorithm

The Hive Ransomware Master key

A group of academics from South Korea’s Kookmin University have published a new paper explaining the encryption process of the infamous Hive Ransomare. The study also reveals the “first successful attempt” at decrypting data infected with Hive ransomware without depending on the private key that was used to encrypt the content and prevent access to it from being restored.

Hive Ransomware master key

The breakthrough is possible thanks to exploiting a cryptographic vulnerability discovered through analysis, where the ransomware researchers were able to recover the master key for generating the file encryption key without requiring
the attacker’s private key.

Hive is a fearful Ransomware-as-a-service threat, which, like other infections of this type, employs a variety of methods to breach company networks, exfiltrate data, and encrypt data on the networks, and then seeks to collect a ransom in return for access to the decryption software.

The malware made its first appearance when it hit a business called Altus Group in June 2021. This attack was the first time anybody had ever heard of it. To get access to a system, Hive employs a number of initial compromise
methods, including exploited RDP servers, compromised VPN credentials, and phishing emails with malicious attachments.

The criminal group behind the malware also engages in the increasingly profitable strategy of double extortion, in which the actors go beyond simply encrypting sensitive victim data by additionally exfiltrating the material and
threatening to publish it on their Tor website, “HiveLeaks.”

A total of 355 businesses have been targeted by the Hive RaaS malware as of October 16, 2021, according to blockchain analytics company Chainalysis. This number of victims has secured the criminal gang the eighth rank among the top 10 ransomware strains in terms of income for the last year.

A Flash report explaining the attacks’ modus operandi was also released by the United States Federal Bureau of Investigation (FBI), which noted that the ransomware interrupts programs linked to backups, anti-virus, and file copying
in order to assist the encryption of files.

Because of a cryptographic flaw discovered by researchers, a ransomware strain is selectively encrypting selected bits of the file rather than the complete contents, and two keystreams derived from the master key are used to encrypt
the remaining portions of the file.

Specifically, two keystreams from the master key are required for each file encryption process, according to the researchers. By picking two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from each selected offset, two keystreams are generated.

Afterwards, the encryption keystream, which is formed by performing an XOR operation on the two keystreams, is XORed with the data stored in alternate blocks to produce the encrypted file. However, using this approach, it is
possible to estimate the keystreams and recover the master key, which in turn allows the decoding of encrypted data without the need for the attacker’s private key to be accessed.

In their study, the researchers claimed that they were able to exploit the detected issue in order to design a mechanism that could successfully retrieve more than 95 percent of the keys used during the encryption process, giving new hope for the victims to recover their data and reduce the damage caused by the malware.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment