{
	"id": "b771ee2b-51d1-47c4-8aef-622ab728d0f9",
	"created_at": "2026-04-06T00:18:37.804511Z",
	"updated_at": "2026-04-10T03:20:02.92865Z",
	"deleted_at": null,
	"sha1_hash": "02a898be76f91bcdfbfa79a7647991cacd9bad3e",
	"title": "A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 149769,
	"plain_text": "A flaw in the encryption algorithm of Hive Ransomware allows\r\nretrieving encrypted files\r\nBy Pierluigi Paganini\r\nPublished: 2022-02-21 · Archived: 2026-04-05 23:00:59 UTC\r\n Pierluigi Paganini February 21, 2022\r\nResearchers discovered a flaw in the encryption algorithm used by Hive\r\nransomware that allowed them to decrypt data.\r\nResearchers discovered a flaw in the encryption algorithm used by Hive ransomware that allowed them to decrypt\r\ndata without knowing the private key used by the gang to encrypt files.\r\nThe Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and\r\nadopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks).\r\nIn April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks\r\nthat includes technical details and indicators of compromise associated with the operations of the gang. According\r\nto a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10\r\nransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam\r\ncampaigns, vulnerable RDP servers, and compromised VPN credentials.\r\n“Hive ransomware uses a hybrid encryption scheme, but uses its own symmetric cipher to encrypt files. We were\r\nable to recover the master key for generating the file encryption key without the attacker’s private key, by using a\r\ncryptographic vulnerability identified through analysis. As a result of our experiments, encrypted files were\r\nsuccessfully decrypted using the recovered master key based on our mechanism.” reads the paper published by\r\nresearchers from Kookmin University (South Korea). “To the best of our knowledge, this is the first successful\r\nattempt at decrypting the Hive ransomware. We experimentally demonstrated that more than 95% of the keys used\r\nfor encryption could be recovered using the method we suggested.”\r\nThe technique devised by the team of academics was able to recover more than 95% of the keys used\r\nfor the encryption process that is represented in the following image:\r\nhttps://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html\r\nPage 1 of 2\n\nThe experts detailed the process used by Hive ransomware to generate and store master key for victim files. The\r\nransomware generates 10MiB of random data, and uses it as a master key. The malware extracted from a specific\r\noffset of the master key 1MiB and 1KiB of data for each file to be encrypted and uses as a keystream. The offset is\r\nstored in the encrypted file name of each file. This means that experts were able to determine the offset of the\r\nkeystream stored in the filename and decrypt the file.\r\n“Hive ransomware encrypts files by XORing the data with a random keystream that is different for each file. We\r\nfound that this random keystream was sufficiently guessable.” continues the paper. “Hive ransomware generates a\r\ndata encryption keystream (EKS) that appears random for each file, and encrypts the file by XORing EKS with the\r\nfile. However, EKS is created using two keystreams extracted from the previously created master key During the\r\nencryption process, only the part of the file, not the entire area, is encrypted.”\r\nThe results of the tests demonstrated the efficiency of the method, the master key recovered 92% succeeded in\r\ndecrypting approximately 72% of the files, while the master key restored 96% succeeded in decrypting\r\napproximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of\r\nthe files.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, ransomware)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html\r\nhttps://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html"
	],
	"report_names": [
		"recover-files-hive-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434717,
	"ts_updated_at": 1775791202,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02a898be76f91bcdfbfa79a7647991cacd9bad3e.pdf",
		"text": "https://archive.orkl.eu/02a898be76f91bcdfbfa79a7647991cacd9bad3e.txt",
		"img": "https://archive.orkl.eu/02a898be76f91bcdfbfa79a7647991cacd9bad3e.jpg"
	}
}