Decrypting Hive Ransomware Data

Nice piece of research:

Abstract: Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware.

Here’s the flaw:

The cryptographic vulnerability identified by the researchers concerns the mechanism by which the master keys are generated and stored, with the ransomware strain only encrypting select portions of the file as opposed to the entire contents using two keystreams derived from the master key.

The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files sans the attacker’s private key.

The researchers said that they were able to weaponize the flaw to devise a method to reliably recover more than 95% of the keys employed during encryption.

Tags: , , ,

Posted on March 1, 2022 at 6:06 AM13 Comments

Comments

Vesselin Bontchev March 1, 2022 7:48 AM

This is not realistic.

First of all, they are talking about an old version of Hive. The cryptographic protocol has changed since and this flaw no longer exists.

Second, they require literally hundreds of unencrypted copies of the encrypted files. How often do people have such laying around?

Clive Robinson March 1, 2022 8:37 AM

Hmmm,

“The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file.”

Never a good idea as it’s both linear and reversible. Worse if the two keystreams are from LFSR systems and the same length/feedback taps but just different starting points / offset from each other, then you get the same stream, just shifted…

“But this technique also makes it possible to guess the keystreams”

Yup, esprcially if you have a chunk of plaintext that you can line up with the ciphertext. If the plaintext is a little over twice the largest stream generator internal effective storage array (Sarray), you can recover most stream generator outputs. Thus recover their start positions….

Ted March 1, 2022 2:59 PM

@Vesselin Bontchev

… they require literally hundreds of unencrypted copies of the encrypted files. How often do people have such laying around?

It looks like Hive ransomware encrypts Program files, but not OS files. The researchers say they can obtain unencrypted original files, like software instillation files, from the internet. They can use backup and other types of files too. I don’t know how many files this would be though.

Also, where did you see the Hive version?

The paper notes that “certain ransomware may use a self-developed encryption algorithm.” “Self-developed” sounds risky.

Clive Robinson March 1, 2022 4:44 PM

@ Alan,

FYI, “How China built a one-of-a-kind cyber-espionage behemoth”

Treat with caution…

Because when I read sloppy work like,

“Chinese government hackers have exploited more powerful zero-day vulnerabilities —previously undiscovered weaknesses in technology for which there is no known defense—

That is actually not true…

I get suspicious and start digging.

Contrary to what is written in the article, there is a very effective defence from outside attack,

Do NOT connect to any external network directly or indirectly.

A properly issolated system works rather well as a defence measure. Because as an attacker, if you can not reach a system in any way, you can not attack it.

But some say such issolation makes their work/life harder… So they don’t do it and so a nations secrets be they “National Security” or “Intellectual property”(IP), get hovered up.

The point is,

There will always be zero-days, side channels, and other Unknown Unknowns.

Nowing that… you should then take sensible mitigations.

Not to do so would at best be silly, at ranging through dereliction of duty to worse (aiding and abetting the enemy in times of war).

Whilst in the west we generaly do not shoot idiots, sometimes firing or terminating them with prejudice is the best option.

But you have to ensure it’s the right idiot and not a lower level scapegoat. Senior managment must not be above such “not wanted here” policies.

Tech dummy March 1, 2022 9:08 PM

@Clive
So simple even I can understand it!
But as we know, “common sense” isn’t!

Clive Robinson March 2, 2022 9:31 AM

@ Tech Dummy,

But as we know, “common sense” isn’t!

It’s not just the apparent scarcity of common sense…

In the electronics design game, there is a saying,

“The only problem with makeing something “fool proof”, is you can never find a fool to test it, but that does not matter, as those who think they are clever will break anything you can make by being stupid”…

It appears to apply as well to not just the users of computer systems, as our host @Bruce has observed in the past, but also those who frequently build what are insecure systems effectively “vy design” with them.

Or I should perhaps say more frequently their managers, pushing for what can not be safely done with the current state of the technology. Which quite a few would say is dire, and getting worse not better… For instance the MS Win 11 news, with it having to be online much of the time, not for any other reason than MS Telemetry…

Time for a little sweepstake… We all know it’s a question of when not if… But who want’s to suggest a date when MS’s 360 Cloud products are reemed out entirely?

Clive Robindon March 2, 2022 6:27 PM

@ ResearcherZero,

I’ve just read through it, what csn I say but “Struth Mate”…

Or to put it another way, the eye of this needle you could drive every Carmel that ever existed through in the blink of an eye.

And that’s before you start thinking about the “criminal opportunities” the amendment makes possible, or should I say “obviously enables”?

vas pup March 3, 2022 4:39 PM

@all
Science Channel ‘SPYCRAFT’ last episode (03.01.22) was about cryptography and cryptanalysis.

vas pup March 3, 2022 4:51 PM

Tag – Academic paper
Seeing is believing when it comes to health risk and behavior change
https://www.sciencedaily.com/releases/2022/03/220303141150.htm

“Using medical imaging technologies that can visualize health may discourage risk-related behaviors more than non-visual information. A new meta-analysis finds that when individuals undergo an imaging procedure and are shown visual personalized information about their own risk of disease, they may be more likely to reduce risky behaviors.”

I guess same could be utilized for preventing other type of risk behavior e.g. criminal activity.

vas pup March 3, 2022 4:58 PM

Changing your mind based on information, or simply to conform? Brain activity differentiates between

types of social influence
https://www.sciencedaily.com/releases/2022/03/220303141143.htm

“Researchers have characterized brain activity that occurs when we are socially influenced to change our minds. The study shows how the brain distinguishes between different types of social conformity when
revising one’s opinions.

Changing one’s mind after learning additional information from another person is an example of informational social influence. On the other hand, if it’s because of the desire to be socially
accepted, it’s an example of normative social influence. Until now, no study of the underlying brain mechanisms has differentiated between these two situations.

Reciprocal conformity is a behavior indicative of the desire for social acceptance, and understanding its neural basis is crucial when confronting instances of excessive conformity. Future studies should explore the limits of normative conformity with respect to non-human machines.

!!!!Mahmoodi adds, “Human dorsal anterior cingulate cortex tracks the weight of others’ opinion in social interaction. This brain signal treats advice from humans and from artificial intelligence similarly in matters of information. In matters of social norms such as reciprocity, however, this brain area gives no weight to AI.”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.