The Hive ransomware active since June 2021, it provides Ransomware-as-a-Service. Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site HiveLeaks.
Researchers have discovered a flaw in encryption algorithm used by Hive ransomware that allowed them to decrypt data without knowing the private key used by the gang to encrypt files. It uses the hybrid encryption method in which its own symmetric cipher used to encrypt the files.
The technique devised by the team of academics was able to recover more than 95% of the keys used for the encryption process.
The ransomware generates 10MiB of random data, and uses it as a master key. The malware is extracted from a specific offset of the master key 1MiB and 1KiB of data for each file to be encrypted and uses as a keystream. The offset is stored in the encrypted file name of each file. Through which it is able to determine the offset of the keystream stored in the filename and decrypt the file.
The results of the tests demonstrated the efficiency of the method, the master key recovered 92% succeeded in decrypting approximately 72% of the files, while the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files.
The findings of the researchers were likely the starting point for the work of the KISA agency that finally developed a decryptor.