Hive Ransomware

Chris Swagler | February 23rd, 2022


Researchers have described the ‘first successful attempt’ at decrypting Hive ransomware-infected data without using the private key used to lock access to the content. A group of academics from a South Korean University dissected Hive ransomware’s encryption process using a cryptographic vulnerability identified through analysis and were able to recover the master key for generating the file encryption key without the threat operator’s private key. Like other cybercriminal groups, Hive uses a Ransomware-as-a-Service (RaaS) model in which it compromises business networks, exfiltrates data, encrypts data on the networks, and then demands a ransom in exchange for access to decryption software.

Flaw in Hive Ransomware Encryption Algorithm

The Hive ransomware was first observed in 2021 and has used various initial compromise methods, including vulnerable Remote Desktop Protocol (RDP) servers, compromised VPN credentials, and phishing emails with malicious attachments. Additionally, the group practices the increasingly lucrative double extortion scheme, in which the actors go beyond encryption by exfiltrating sensitive victim data and threatening to publish it on their Tor site, “HiveLeaks.” According to a blockchain analytics company, as of October 16, 2021, the Hive RaaS program has harmed at least 355 businesses, putting the group in the eighth spot among the top 10 ransomware strains by revenue. The Federal Bureau of Investigation (FBI) released a Flash report detailing the attacks’ modus operandi, explaining how the ransomware terminates processes related to backups, anti-virus, and file copying to facilitate encryption, resulting from the group’s malicious activities.

Researchers discovered a cryptographic vulnerability in the mechanism for generating and storing master keys, with the ransomware strain only encrypting select portions of the file rather than the entire contents using two keystreams derived from the master key. According to researchers, two keystreams from the master key are required for each file encryption process. By selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (KiB) from each offset, two keystreams are created.

To generate the encrypted file, the encryption keystream, created by XORing the two keystreams, is XORed with the data in an alternate block. However, this technique can be used to guess keystreams and restore the master key, thus allowing encrypted files to be decoded without the private key. According to researchers, they were able to use the flaw to devise a method for reliably recovering more than 95% of the keys used during encryption.

With the recent development of vulnerabilities in encryption algorithms being used as a master key in decrypting infecting files, groups like the Hive ransomware will look to retool and refine their encrypting methods and techniques to prevent possible decryption keys from being created. This is yet another example of why it’s crucial for companies to remain on top of the latest threat landscape and always keep their data networks’ security posture updated. At SpearTip, you can trust our certified engineers to quickly respond to any breaches with one of the fastest response times in the industry. Our engineers continuously monitor companies’ networks 24/7/365 at our Security Operations Centers for potential cyber threats like the Hive ransomware. Our ShadowSpear, our endpoint detection and response platform, is an excellent proactive tool that optimizes visibility and integrates with cloud, network, and endpoint devices providing an extra layer of network security.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.