Nice piece of research:
Abstract: Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware.
Here’s the flaw:
The cryptographic vulnerability identified by the researchers concerns the mechanism by which the master keys are generated and stored, with the ransomware strain only encrypting select portions of the file as opposed to the entire contents using two keystreams derived from the master key.
The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files sans the attacker’s private key.
The researchers said that they were able to weaponize the flaw to devise a method to reliably recover more than 95% of the keys employed during encryption.
More Stories
France Bans TikTok, Other ‘Fun’ Apps From Government Devices
The move is expected to affect roughly 2.5 million government officials Read More
Data loss from insider events increase despite IRM programs: Report
A vast majority of companies are struggling with data losses from insider events despite having dedicated insider risk management (IRM)...
Security Vulnerabilities in Snipping Tools
Both Google’s Pixel’s Markup Tool and the Windows Snipping Tool have vulnerabilities that allow people to partially recover content that...
Dridex malware, the banking trojan
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of...
Four Years Behind Bars for Prolific BEC Scammer
Solomon Ekunke Okpe and others made over $1m from online fraud Read More
Call for Submissions to UK’s New Computer Misuse Act
Bugcrowd is concerned about a lack of protection for ethical hackers Read More