Researchers found a Hive ransomware master key via cryptographic vulnerability

Hive ransomware master key

A group of South Korean researchers from Kunming University published a report detailing how they found the Hive ransomware master key and a method to recover files encrypted with it.

With the help of a cryptographic vulnerability, experts were able to recover the master key of the malware used to create encryption keys.

Hive ransomware generates 10MiB of random data, and uses it as a master key. For each file to be encrypted, 1MiB and 1KiB of data are extracted from a specific offset of the master key and used as a keystream. The offset used at this time is stored in the encrypted file name of each file. Using the offset of the keystream stored in the filename, it is possible to extract the keystream used for encryption.the researchers note.

Hive uses a hybrid encryption scheme and relies on its own symmetric cipher to encrypt files, and the researchers were able to determine the way the ransomware generates and stores the master key.

After analysing the process of the Hive ransomware, we were convinced of the existence of vulnerabilities that arose due to the use of its own encryption algorithm. Hive ransomware encrypts files using XOR with a random keystream that is different for each file. But we found that this random flow can be predicted fairly easily.the scientists write.

Hive ransomware master key

Hive ransomware master key

Based on this premise, the experts were able to recover most of the malware’s master key, which was used as the basis for file encryption.

The technique developed by specialists allows recovering about 95% of the master key, and even in such an incomplete form it can be used to decrypt data, recovering from 82% to 98% of the victim’s files.

92% restored master key successfully decrypts approximately 72% of files, 96% restored master key successfully decrypts approximately 82% of files, and 98% restored master key successfully decrypts approximately 98% of files.say the researchers.

It is known that specialists from at least two information security companies (Bitdefender and Kaspersky) are currently analyzing the report to find out whether it will be possible to create a free decryptor for Hive based on the findings of Korean researchers.

Initially discovered in June 2021, Hive is offered in an affiliate model that uses a wide range of tactics, methods, and procedures (TTP) to extract data of interest for extortion purposes.

In an alert last August, the FBI noted that Hive is also stopping backup, cybersecurity, and file-copying applications in order to be able to encrypt all targeted files. The ransomware also targets the encryption of the Program Files directories.

Let me remind you that we said that Decryption keys for Maze, Egregor and Sekhmet ransomware were posted on the Bleeping Computer forum, and also that FonixCrypter ransomware stopped working and published a key to decrypt data.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *