Researchers have described the “first successful attempt” at decrypting Hive ransomware-infected data without depending on the private key that was used to limit access to the material.
“We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis,” a group of academics from South Korean Kookmin University said in a new paper evaluating its encryption process.
Like other cybercriminal organizations, Hive employs a ransomware-as-a-service model. It compromises company networks, exfiltrates information, encrypts data on the networks, and then demands a ransom in return to access decryption software. It was first noticed in June 2021, affecting the Altus Group. Hive uses many initial compromise tactics, such as weak RDP servers, stolen VPN credentials, and phishing emails with malicious attachments.
The gang also engages in the increasingly profitable double extortion scam, in which the actors go beyond encryption by exfiltrating sensitive victim information and threatening to publish it on their Tor site, “HiveLeaks.” According to blockchain analytics firm Chainalysis, the Hive RaaS program has harmed at least 355 businesses as of October 16, 2021, putting the group in eighth place among the top 10 ransomware outbreaks by revenue in 2021.
The FBI released a Flash report explaining the cyberattacks’ modus operandi, highlighting how the ransomware interrupts programs linked to backups, anti-virus, and file copying to assist encryption due to the group’s harmful operations. The researchers discovered a cryptographic flaw in the system for generating and storing master keys. The ransomware strain only encrypts specific bits of the file rather than the complete contents employing two keystreams derived from the master key.
The encryption keystream (generated by combining the two keystreams using an XOR operation) is XORed with the contents in alternating blocks to create the encrypted file. However, this approach may be used to predict keystreams and recover the master key, allowing encrypted data to be decoded without the attacker’s private key. Researchers revealed that they could use the vulnerability to design a way for consistently recovering more than 95% of the keys used during encryption.