1 min read

South Korean Cybersecurity Agency Released Free Decryptor for Hive Ransomware Victims

Vlad CONSTANTINESCU

July 01, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
South Korean Cybersecurity Agency Released Free Decryptor for Hive Ransomware Victims

The South Korean government’s cybersecurity watchdog recently released a free decryptor tool for victims of Hive ransomware. The tool works for files encrypted by Hive versions v1 through v4.

The regulator also released a user manual with step-by-step instructions on recovering encrypted data safely and, most importantly, without paying ransom.

“The Korea Internet & Security Agency (KISA) is distributing the Hive ransomware integrated recovery tool,” reads the agency’s announcement. “This recovery tool can recover Hive ransomware version 1 to version 4.”

Hive has been around since June 2021. Aside from its infamous Ransomware-as-a-Service (RaaS) Hive, the operation is also known for its double extortion model, threatening victims with data leaks on its dedicated website (HiveLeaks). The criminals behind the malicious operation use compromised VPN credentials, RDP servers, spam campaigns and other tricks to achieve their goals.

In February, a team of researchers from South Korea’s Kookmin University used an algorithm flaw to retrieve Hive ransomware’s master encryption key. The experts recovered 95% of the master key without needing the attacker’s RSA private key and managed to decrypt infected data. Researchers tried various recovery levels for the master key, and their experiment yielded the following results:

  • A 92%-recovered master key decrypted roughly 72% of the encrypted files
  • A 96%-recovered master key restored approximately 82% of the locked files
  • A 98%-recovered master key successfully recovered 98% of the encrypted files

Kookmin University cybersec experts elaborated on Hive’s chain of operations that leads to generating and storing the master key. At first, Hive generates 10 MiB (mebibytes) of random data to use as a master key.

However, Hive encrypts compromised documents only partially by using two keystreams stemming from the master key. Finally, the ransomware generates an encryption keystream, fuses it with the data, and uses an XOR operation to store it in alternate blocks before outputting the encrypted file.

While the security team’s experiment succeeded in partially recovering encrypted files, their research likely laid a solid foundation for KISA to develop the free decryption tool.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info
Alina BÎZGĂ

December 02, 2022

2 min read
Hackers Breach New Zealand Health Insurer Accuro Hackers Breach New Zealand Health Insurer Accuro
Filip TRUȚĂ

December 02, 2022

2 min read
Flaw allowed man to access private information of other Brinks Home Security customers Flaw allowed man to access private information of other Brinks Home Security customers
Graham CLULEY

November 30, 2022

2 min read