Researchers have detailed what they call the “first successful attempt” at decrypting data infected with Hive ransomware without relying on the private key used to lock access to the content.
“We were able to recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis,” a group of academics from South Korea’s Kookmin University said in a new paper dissecting its encryption process.
Hive, like other cybercriminal groups, operates a ransomware-as-a-service that uses different mechanisms to compromise business networks, exfiltrate data, and encrypt data on the networks, and attempts to collect a ransom in exchange for access to the decryption software.
It was first observed in June 2021, when it struck a company called Altus Group. Hive leverages a variety of initial compromise methods, including vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments.
The group also practices the increasingly lucrative scheme of double extortion, wherein the actors go beyond just encryption by also exfiltrating sensitive victim data and threatening to leak the information on their Tor site, “HiveLeaks.”
images from Hacker News