We will be happy to advise you!

Hotline:
+49 (0) 40 38 90 710

E-mail:
info@secion.de

Contact form

Error in encryption algorithm: Master key for Hive ransomware decrypted

by

Reading time: minutes ( words)
Hive Ransomware - can encrypted data be recovered after all?

Update as of 27 January 2023: Hive hacker network busted

In January 2023, German investigators in cooperation with Europol, the FBI and other US authorities succeeded in striking a blow against the hacker group "Hive": Cyber specialists were able to penetrate the criminal IT infrastructure of the perpetrators, seize a large number of servers and secure data and accounts of the network and its users. The website of the hackers in the Darknet is now offline.

"Hive" is said to have been responsible for more than 1500 cyber attacks against companies and organisations worldwide in recent years - more than 70 in Germany alone. Among the victims were mainly hospitals, educational institutions, financial companies and companies from the critical infrastructure sector.

How was the Hive ransomware cracked?

In mid-February 2022, researchers from South Korea's Kookmin University published an announcement stating that they had managed to crack the Hive ransomware's encryption mechanism. In experiments, they were able to recover the ransomware's master key without knowing the private key for the particular process.

To do this, the specialists made use of a vulnerability in the encryption algorithm, which they found by analyzing the behavior pattern of the ransomware. This cryptographic vulnerability allows the main file encryption key to be easily guessed.

The researchers of the project at Kookmin University believe that the found vulnerability will turn into a reliable method to recover almost all data encrypted by the Hive ransomware.

They believe their technique will be effective 92 to 98 percent of the time, recovering up to 95 percent of encrypted data. For affected victims, this means that attacks with the Hive ransomware may lose their terror in the future and that a lot of already encrypted data can also be recovered.

What is the Hive ransomware?

Hive belongs to the category of Ransomware as a Service. Similar to a cloud service, cybercriminals offer the platform as a digital service. Other criminals rent the platform to launch cyberattacks using Hive's tools. The developers behind Hive then receive a portion of the extorted ransoms in successful cyberattacks or get paid directly for using the ransomware.

Hive first appeared in June 2021 and has been increasingly used in ransomware attacks ever since. By the fall of 2021, Hive was already among the top ten most active ransomware variants worldwide. Over 350 companies were victims of cyberattacks with this ransomware by October 2021.

Ransomware and the encryption of data in general

The fact that South Korean researchers managed to crack the ransomware is surprising and good news. Affected victims now have hope that their data can be recovered after all. However, there is no guarantee that this method will remain effective in the future. This is because the cybercriminals behind the ransomware will most likely react to the current developments and continue to develop the ransomware.

Thus, it can be assumed that the hackers will close the security hole in the near future. Similar to a security update for software that is released in a short period of time after a vulnerability is discovered, the hackers update their ransomware as a service. After all, this is a lucrative source of income for the criminals.

For this reason, it is crucial that companies and IT managers do not rely on this type of data recovery in the event of a ransomware attack. It is much more important to take precautions and thus not rely on decryption. Here, there are two methods in particular that companies can use to protect their networks or prevent data loss.

The first point concerns the backup strategy: every company needs multiple backup copies of all digital information. Here, the 3-2-1 backup strategy has established itself as the minimum standard. This strategy specifies that there are three copies of data in two types of storage at any given time, and one copy is stored on an external system that is separate from the network.

The second is to implement active early attack detection. These systems consistently scan their own network, looking for suspicious activity. This includes, most notably, the actions of hackers who deploy ransomware such as Hive on compromised networks. Early attack detection alerts IT leaders in real time when suspicious activity has been identified. This makes it possible to stop cyberattacks in their early stages, before the hackers manage to activate the ransomware or otherwise cause major damage.

Need help upgrading your IT security for 2022? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back

Related articles

Caution, Quishing: Criminals use QR codes for phishing attacks

Caution, Quishing: Criminals use QR codes for phishing attacks

QR codes have been around for almost 30 years. Today, we scan the square codes with our smartphone as a matter of course to release bank orders, create a digital vaccination certificate or retrieve coupons. However, since QR codes are also used by cybercriminals for fraudulent purposes, you should not trust the little squares without limits. You should be especially careful if you receive a QR code via email: A sophisticated phishing attack could be hiding behind it. We show you how to recognize quishing attacks and protect yourself from them.

Black Basta: New findings on the notorious ransomware

Caution, Quishing: Criminals use QR codes for phishing attacks

In early October, the ransomware group Black Basta attacked an IT service provider of the Deutsche Presse-Agentur (dpa), stealing the data records of 1,500 dpa employees as well as pension recipients of the dpa support fund. Two weeks later, the cybercriminals published the first sensitive data of the victims on the darknet. This incident is just one of many attacks associated with the notorious Black Basta ransomware - and there will be many more to come. That's because, as new research shows, the cybercriminals act very similarly to other aggressive hacker groups.

Hacking to listen to: The 5 most popular IT security podcasts from our IT security consultants

Hacking you can listen to: 5 popular IT security podcasts

The cybersecurity industry is more dynamic and rapidly changing than any other sector. Today's insights may already be outdated tomorrow. Because at the same pace as IT security develops new measures to protect IT infrastructure, networks, and endpoints, cyber criminals bring new tools to the market, refine attack methods, or use unknown techniques to successfully carry out cyber attacks. Anyone who wants to stay as well informed as possible in the multi-layered environment is dependent on regular updates. This applies equally to technically interested users and IT staff. One popular source of information in Germany is the podcast. More than 40% of all Germans regularly listen to podcasts - one fifth of them daily. We asked our IT security consultants for recommendations on ethical hacking and present our top 5 most popular cybersecurity podcasts here.