Researchers have chronicled their decoding attempt, decoding the data infected with Hive ransomware without relying on the private key that blocked the content access.
“We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis,” a group of academics from South Korea’s Kookmin University said in a new paper analyzing its encryption process.
Hive uses a ransomware-as-service that deploys different methods to infect business networks, pilfer data, and entangle data on the networks. Once the system is compromised, the attackers demand a ransom for restoring access to the system.
Hive was first spotted in June 2021 when it attacked Altus Group; Hive uses several initial compromise methods like vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments.
The group also uses a widely used lucrative double extortion scheme in which the attackers don’t just encrypt data but also pilfer data. Once the data has been pilfered, the attackers threaten to release the victim’s data on their Tor site, “HiveLeaks.”
Until October 16, 2021, the Hive RaaS program has targeted at least 355 companies, with the group securing the eighth spot among the top 10 ransomware strains by revenue in 2021, according to blockchain analytics company Chainalysis.
The malicious activities associated with the group have also prompted the U.S. Federal Bureau of Investigation (FBI) to release a Flash report detailing the attacks’ modus operandi, noting how the ransomware terminates processes related to backups, anti-virus, and file copying to facilitate encryption.
“For each file encryption process, two keystreams from the master key are needed,” the researchers explained. “Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from the selected offset, respectively.”
The encryption keystream has its roots in the XOR operation of the two keystreams, and the keystream is XORed with the data in staggered blocks to create the encrypted file. But the method also allows the keystream to be guessed and restore the master key, which allows the untangling of encrypted files without the attacker’s private key.
The researchers said that they were able to weaponize the flaw to devise a method to reliably recover more than 95% of the keys employed during encryption.
“The master key recovered 92% succeeded in decrypting approximately 72% of the files, the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files,” the researchers said.