Researchers claim to have cracked the encryption code of Hive ransomware. They have identified a cryptographic vulnerability during analysis, which led to the discovery of the master key used to unlock files.
A group of academics from South Korea identified a cryptographic vulnerability in the mechanism by which the master keys are generated and stored by the Hive ransomware. In order to understand the vulnerabilities, it is important to understand the encryption method.
The ransomware only encrypts select portions of the file instead of all content using two keystreams derived from the master key.
For each file encryption, two keystreams from the master key are required.These two keystreams are generated using two random offsets from the master key and extracting 0x400 bytes (1KiB) and 0x100000 bytes (1MiB) from the selected offset.
The encryption keystream, created from an XOR operation of the two keystreams, is XORed using data in alternate blocks to create the encrypted file. Researchers noted that it is possible to guess the keystreams and recover the master key. With that, they could decode the encrypted files without requiring the private key of an attacker.
Researchers weaponized the flaw to recover 92–98% of the master key used during encryption. Even with this incomplete master key, researchers could decrypt around 72–98% of encrypted files.
This recent development is purportedly the first successful attempt to recover files from this ransomware. The method can be used to limit the damage caused by Hive ransomware. This will allow the victims to recover files free of cost and provide motivation in the fight against the deadly threats posed by ransomware across the globe.