Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm

Researchers have detailed what they call the “First successful attempt” at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content.

“We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis,” a group of academics from South Korea’s Kookmin University said in a new paper analyzing its encryption process.

The cryptographic vulnerability identified by the researchers concerns the mechanism by which the master keys are generated and stored, with the ransomware strain only encrypting select portions of the file as opposed to the entire contents using two keystreams derived from the master key.

“For each file encryption process, two keystreams from the master key are needed,” the researchers explained.

“Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes and 0x400 bytes from the selected offset, respectively.”

“The master key recovered 92% succeeded in decrypting approximately 72% of the files, the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files,” the researchers said.

Share this article on social media:

Subscribe to Our Newsletter!

Stay on top of cybersecurity risks, evolving threats and industry news.

This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.