A method for decrypting data infected with Hive ransomware

Abstract

Among the many types of malicious software currently circulating, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies have experienced considerable damage, such as the payment of large amounts of money or the loss of important data. In this study, we analyzed the Hive ransomware, which appeared in June 2021. the Hive ransomware has caused immense harm, leading the FBI to issue an alert. To minimize the damage caused by the Hive ransomware and to help victims recover their files, we analyzed the Hive ransomware and studied recovery methods. By analyzing the encryption process of the Hive ransomware, we confirmed that vulnerabilities exist in their own encryption algorithm. We partially recovered the keytable for generating the file encryption key, to enable the decryption of data encrypted by the Hive ransomware. We recovered 95% of the keytable without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting the Hive ransomware. It is expected that our method can be used to reduce the damage caused by the Hive ransomware.