{
	"id": "33833211-e1a1-4971-9d5f-d02b37539cc2",
	"created_at": "2026-04-06T01:29:17.538065Z",
	"updated_at": "2026-04-10T03:21:25.595736Z",
	"deleted_at": null,
	"sha1_hash": "2a5d8673c3543d6e621be95c1d608a151b7b5bfb",
	"title": "Academics publish method for recovering data encrypted by the Hive ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 300801,
	"plain_text": "Academics publish method for recovering data encrypted by the\r\nHive ransomware\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-06 01:14:27 UTC\r\nA team of South Korean researchers has published an academic paper on Thursday detailing a method to recover\r\nfiles encrypted by the Hive ransomware without paying the attackers for the decryption key.\r\n\"By analyzing the encryption process of [the] Hive ransomware, we confirmed that vulnerabilities exist by using\r\ntheir own encryption algorithm,\" four scientists from Seoul's Kookmin University said yesterday.\r\n\"Hive ransomware encrypts files by XORing the data with a random keystream that is different for each file. We\r\nfound that this random keystream was sufficiently guessable,\" they added.\r\nStarting from this premise, researchers said they were able to recover a large portion of the \"master key\" that was\r\nused as the base to encrypt a victim's files.\r\nThe researchers said the technique they developed recovers around 95% of the master key, but even in this\r\nincomplete state, the key can be used to decrypt encrypted data, ranging from 82% to 98% of the victim's files,\r\ndepending on how much of the original master key is recovered.\r\nhttps://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/\r\nPage 1 of 3\n\nThe research team published a technical breakdown of their findings in a whitepaper titled \"A Method for\r\nDecrypting Data Infected with Hive Ransomware.\"\r\nThe work was done by members of the Dept. of Financial Information Security and the Dept. of Information\r\nSecurity, Cryptology, and Mathematics from the Kookmin University, in Seoul, South Korea.\r\nTheir work was sponsored by a grant from the Korean government and supported by Korea's Information Security\r\nAgency (KISA).\r\nTogether with their US and European counterparts, South Korean law enforcement has been extremely active in\r\nchasing down and dealing with the current ransomware problem, having contributed to the arrest of several\r\nmembers of the Clop ransomware gang.\r\nThe Hive ransomware gang first appeared in June 2021 and has become one of the most active ransomware\r\ngroups today, after the shutdowns of gangs like REvil, Darkside, BlackMatter, and Avaddon.\r\nIn August 2021 and January 2022, the FBI and Spain's INCIBE agencies released reports [FBI, INCIBE] detailing\r\nthe Hive ransomware group's operations after seeing spikes in activity from the gang.\r\nThe Hive ransomware group did not list a contact method on their \"leak site and couldn't be contacted for\r\ncomment on the release of the academic paper.\r\nLeak site for new Hive ransomware looks pretty snazzy. Looks like some ransomware group have\r\ndiscovered ThemeForest pic.twitter.com/VVli1TPyzr\r\n— Catalin Cimpanu (@campuscodi) June 29, 2021\r\nResearchers from at least two security firms—Bitdefender and Kaspersky—are currently analyzing the paper to\r\nsee if they can create a free Hive decrypter based on the Korean researchers' findings.\r\nhttps://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/\r\nhttps://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/"
	],
	"report_names": [
		"academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438957,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a5d8673c3543d6e621be95c1d608a151b7b5bfb.pdf",
		"text": "https://archive.orkl.eu/2a5d8673c3543d6e621be95c1d608a151b7b5bfb.txt",
		"img": "https://archive.orkl.eu/2a5d8673c3543d6e621be95c1d608a151b7b5bfb.jpg"
	}
}