Error in encryption algorithm: Master key for Hive ransomware decrypted
by Tina Siering
Update as of 27 January 2023: Hive hacker network busted
In January 2023, German investigators in cooperation with Europol, the FBI and other US authorities succeeded in striking a blow against the hacker group "Hive": Cyber specialists were able to penetrate the criminal IT infrastructure of the perpetrators, seize a large number of servers and secure data and accounts of the network and its users. The website of the hackers in the Darknet is now offline.
"Hive" is said to have been responsible for more than 1500 cyber attacks against companies and organisations worldwide in recent years - more than 70 in Germany alone. Among the victims were mainly hospitals, educational institutions, financial companies and companies from the critical infrastructure sector.
How was the Hive ransomware cracked?
In mid-February 2022, researchers from South Korea's Kookmin University published an announcement stating that they had managed to crack the Hive ransomware's encryption mechanism. In experiments, they were able to recover the ransomware's master key without knowing the private key for the particular process.
To do this, the specialists made use of a vulnerability in the encryption algorithm, which they found by analyzing the behavior pattern of the ransomware. This cryptographic vulnerability allows the main file encryption key to be easily guessed.
The researchers of the project at Kookmin University believe that the found vulnerability will turn into a reliable method to recover almost all data encrypted by the Hive ransomware.
They believe their technique will be effective 92 to 98 percent of the time, recovering up to 95 percent of encrypted data. For affected victims, this means that attacks with the Hive ransomware may lose their terror in the future and that a lot of already encrypted data can also be recovered.
What is the Hive ransomware?
Hive belongs to the category of Ransomware as a Service. Similar to a cloud service, cybercriminals offer the platform as a digital service. Other criminals rent the platform to launch cyberattacks using Hive's tools. The developers behind Hive then receive a portion of the extorted ransoms in successful cyberattacks or get paid directly for using the ransomware.
Hive first appeared in June 2021 and has been increasingly used in ransomware attacks ever since. By the fall of 2021, Hive was already among the top ten most active ransomware variants worldwide. Over 350 companies were victims of cyberattacks with this ransomware by October 2021.
Ransomware and the encryption of data in general
The fact that South Korean researchers managed to crack the ransomware is surprising and good news. Affected victims now have hope that their data can be recovered after all. However, there is no guarantee that this method will remain effective in the future. This is because the cybercriminals behind the ransomware will most likely react to the current developments and continue to develop the ransomware.
Thus, it can be assumed that the hackers will close the security hole in the near future. Similar to a security update for software that is released in a short period of time after a vulnerability is discovered, the hackers update their ransomware as a service. After all, this is a lucrative source of income for the criminals.
For this reason, it is crucial that companies and IT managers do not rely on this type of data recovery in the event of a ransomware attack. It is much more important to take precautions and thus not rely on decryption. Here, there are two methods in particular that companies can use to protect their networks or prevent data loss.
The first point concerns the backup strategy: every company needs multiple backup copies of all digital information. Here, the 3-2-1 backup strategy has established itself as the minimum standard. This strategy specifies that there are three copies of data in two types of storage at any given time, and one copy is stored on an external system that is separate from the network.
The second is to implement active early attack detection. These systems consistently scan their own network, looking for suspicious activity. This includes, most notably, the actions of hackers who deploy ransomware such as Hive on compromised networks. Early attack detection alerts IT leaders in real time when suspicious activity has been identified. This makes it possible to stop cyberattacks in their early stages, before the hackers manage to activate the ransomware or otherwise cause major damage.