Files encrypted by ransomware can’t be recovered without obtaining the decryption key, if the encryption has been done properly. But that doesn’t seem to be the case for Hive ransomware. Researchers from the Kookmin University in Korea have published a method for decrypting the data scrambled by Hive.

Under normal circumstances, victims have to pay a ransom to get the private key that enables them to decrypt their encrypted files. But the researchers managed to exploit a flaw in the encryption routine which allowed them to recover the master key, making it possible to decrypt all the files of a victim that were encrypted in the same session.

Hive ransomware

Hive ransomware has been around since June 2021 and is a typical targeted ransomware-as-a-service (RaaS) which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. The ransomware group is known to work with affiliates that use various methods to compromise company networks.

In August 2021, the FBI published a warning about Hive ransomware sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice.

The flaw

The cryptographic vulnerability identified by the researchers lies in the mechanism by which the master keys are generated and stored. A master key is generated as one of the first steps in the encryption process. This master key is then used to generate a keystream for the data encryption process.

The ransomware only encrypts select portions of the file instead of all content using two keystreams derived from the master key.  Those two keystreams from the master key are generated using two random offsets from the master key and are combined and XORed to create the encryption keystream. When the file is encrypted, pointers to the keystreams in the master key are stored in the filename.

Since the keystreams get partially reused for every encrypted file, the researchers figured out that with enough data they could “guess” the keystreams. But to successfully decrypt the files they also needed:

  • Some of the original files corresponding to encrypted files; or
  • Several encrypted files with known signatures, such as .pdf, .xlsx, or .hwp.

If the researchers had either of those, the keystreams could be collected and the master key recovery initiated. Finding corresponding unencrypted files is easier than you would think, because unlike other ransomware, Hive encrypts the Program files, Program files (x86), and ProgramData directories, which commonly store software files that are not related to the operating system, but instead other software. These software packages and installation files could easily be obtained on the Internet.

Decryption success rate

By running some experiments, the researchers made an estimate about the accuracy with which they could reconstruct the master key and how many encrypted files could be recovered with such a partially known master key.

When 92% of the master key was recovered, the researchers succeeded in successfully decrypting approximately 72% of the files. When 96% of the master key was restored, the researchers successfully decrypted around 82% of the files, and when 98% of the master key was restored, approximately 98% of the files were successfully decrypted.

Using the method proposed by the researchers, usually more than 95% of the master key used for generating the encryption keystream was recovered, and a majority of the encrypted files could be recovered by using the recovered master key.

How does this help victims?

The researchers said:

“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware.”

This research may seem very theoretical for now, but you can rest assured that other researchers are figuring out ways to use the theoretical work done by these researchers and turn it into a working decryptor that victims of the Hive ransomware can use to get their files back.

Often, you can find working decryptors posted on the NoMoreRansom website. This is a project where law enforcement and IT security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

We will keep you updated if a working decryptor is created based on this research.