South Korean researchers have published a method to decrypt Hive ransomware-affected files, which they hope will allow organisations hit by the group to recover their data.
The researchers analysed Hive’s encryption algorithm and uncovered a vulnerability which allows the encryption master key to be partially recovered from encrypted files. According to the paper from Kookmin University’s Department of Financial Information Security, the team recovered 95% of the master key, and used it to decrypt anything from 72% to 98% of the data in test files.
Hive ransomware shot to prominence after it emerged in June 2021, and has subsequently hit groups including €15bn European car dealership Emil Frey, and numerous healthcare groups. Chainalysis ranked Hive as the eighth-highest ransomware strain by revenue. The FBI in August 2021 and Spain’s INCIBE in January 2022 released urgent updates warning of the risks from Hive ransomware.
Follow The Stack on LinkedIn
The Kookmin team deliberately infected test machines with Hive, then used a randomly created dataset to test the recovery rate of the master key. They found they needed to analyse a much larger number of infected files to recover the key if the files were small, but far fewer large files: it took 6,400 files averaging 21KB compared to just 200 files of around 10MB to recover around 95% of the master key – or 300 5MB files to retrieve 99% of the key.
They then created a dataset of 50,000 files, which they infected with Hive, to see how much of the data within them could be restored. With 92.65% of the master key they were able to restore 72% of a file’s data; 96.01% led to 82% recovery; while 96.56% of the master key let them recover anything from 95% to 98% of files. In most cases, the start and end of each file was unrecoverable when trying to decrypt Hive ransomware-affected files.
“The decryption method is feasible without access to the attacker’s information, using just encrypted files. We obtained the master key by solving numerous equations for XOR operations acquired from the encrypted files. We also experimentally verified that our method succeeded in the key recovery with approximately a rate of 95%. We expect that our method will be helpful for individuals and enterprises damaged by the Hive ransomware,” the researchers concluded.
The research team consisted of Giyoon Kim, Soram Kim, Soojin Kang, and Jongsung Kim, and was supported by a grant from the Korean Information Security Agency. The full paper includes their code and methodology, and is available here.