## A Method for Decrypting Data Infected with Hive Ransomware #### Giyoon Kim[1][a], Soram Kim[1][a], Soojin Kang[1][a], and Jongsung Kim [∗a,b] aDept. of Financial Information Security, Kookmin University,77 Jeongneung-Ro, _Seongbuk-Gu, Seoul, 02707, Korea_ bDept. of Information Security, Cryptology, and Mathematics, Kookmin University,77 _Jeongneung-Ro, Seongbuk-Gu, Seoul, 02707, Korea_ #### February 18, 2022 **Abstract** Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware. ### 1 Introduction ∗Corresponding author 1 These authors contributed equally to this work. Email addresses : gi0412@kookmin.ac.kr (Giyoon Kim), kimsr2040@kookmin.ac.kr (Soram Kim), szin31@kookmin.ac.kr (Soojin Kang), jskim@kookmin.ac.kr (Jongsung Kim) [URL: https://dfnc.kookmin.ac.kr](https://dfnc.kookmin.ac.kr) ----- ----- ----- ### 2 Related Work main target of the ransomware [?]. Scaife et al. proposed an early warning ----- ----- ### 3 Hive ransomware analysis #### 3.1 Encryption process **Generating a master key** **Encrypting the master key** ----- somware has administrator privileges, it is stored in C:\\; if not, it is stored in C:\Users\\AppData\Local\VirtualStore. The filename of the encrypted master key is base64url_encoded_string.key.hive. The en **Terminating specific processes and services** **Creating batch files** **Creating ransom notes** each directory with the file name HOW_TO_DECRYPT.txt. The ransom **Encrypting files** files, executables, and files stored in C:\Users\Windows via an encryption process with ten threads in parallel. However, C:\Users\Program File ``` s(x86), C:\Users\Program Files, and C:\Users\ProgramData paths ``` ----- in C:\Users\Program Files(x86), C:\Users\Program Files, and C: ``` \Users\ProgramData are encrypted. If not, the files in C:\Users\Progr am Files(x86), C:\Users\Program Files, and the C:\Users\ProgramData ``` path are stored in C:\Users\\AppData\Local\VirtualStore **Destroying the master key** **Cleaning disk** ingless data in C:\\ or C:\Users\\AppData\Local\VirtualSt ``` ore until the hard disk is full.This makes it impossible to restore encrypted #### 3.2 File encryption process ``` Hive ransomware generates a data encryption keystream (EKS) that appears random for each file, and encrypts the file by XORing EKS with the file. However, EKS is created using two keystreams extracted from the **Extracting two keystreams from the master key** ----- - Keystream1 offset (SP1) : R1 % 0x900000 - Keystream2 offset (SP2) : R2 % 0x9FFC00 in filename in the little-endian format after encoding with base64url. The file name is generated using the following rule: Original Filename.base64url(MD5(Encrypted_master_key) **Encrypting a file** - Encrypted data[i]← Data[i] [�] Keystream1[i%0x100000] [�] Keystream2[i%0x400] - EKS[i]← Keystream1[i] [�] Keystream2[i%0x400] (i← 0,1,· · ·,0xFFFFF) - Encrypted data← Data[offset] [�] _EKS[offset%0x100000]_ a certain amount. The non-encrypted data block size (NBS) that the offset ----- _T = (FS ≫_ 12) _T =_ [((][FS][≫]100[12)][×][30)] _T =_ [((][FS][≫]100[12)][×][20)] _NBS =_ _[FS][−]T[(]−[T]_ _[≪]1_ [12)] _T =_ [((][FS][≫]100[12)][×][10)] _T =_ [((][FS][≫]100[12)][×][5)] _T =_ [((][FS][≫]100[12)][×][1)] 2620≤ block (NBS bytes) appear alternately, as depicted in Fig. 6. However, in **Example of Hive ransomware infection** then SP1 and SP2 become 0x667926 and 0x24f5b6. EKS is created with two By the Table 3, NBS becomes 0x24f5b6, so 0x1000 bytes encryption and of ‘test.jpg’. According to the filename rule (base64url(MD5(Encrypted_master_key)∥R1∥R2)), ----- ### 4 Hive ransomware decryption methodology to generate an EKS, and EKS encrypts the data using XOR. EKS looks random, but the keystream to generate EKS is partially reused when en the algorithm that generates EKS is also XOR; therefore, it becomes easy to the original and the encrypted file we can obtain the EKS. It is also possible to determine the EKS without the original unencrypted #### 4.1 Method for restoring the Hive ransomware master key collecting as many as possible fragmented EKS satisfying at least one of the two conditions. If either of the two conditions is satisfied, the EKS can - SP1← Keystream1 start offset (R1 % 0x900000) - SP2← Keystream2 start offset (R2 % 0x9FFC00) ----- - Keystream1← Encryption_key[SP1 : SP1+0x100000] - Keystream2← Encryption_key[SP2 : SP2+0x400] - EKS[i]← Keystream1[i] [�] Keystream2[i%0x400] (i← 0,1,· · ·,0xFFFFF) - Encrypted data← Data[offset] [�] _EKS[offset%0x100000]_ As can be seen from the core encryption algorithm, the EKS is generated with Keystream1. The EKS is generated as two keystreams, but these are of continuous EKS using the original file and the infected file is the same Figure 7: Process of the set separation of equations obtained from EKS is, if one EKS is used, a maximum value of 1,025 bytes of the master key from among 1,025 bytes to generate the EKS, the byte guessed by XOR is removed, and using this approach, we can generated the EKSs that are - Keystream1[SP1 + 1] [�] Keystream2[SP2 + 1] = 0x80 _⇐⇒_ Keystream1[SP1 + 1] = Keystream2[SP2 + 1] [�] 0x80 - Keystream1[SP1 + 0x401] [�] Keystream2[SP2 + 1] = 0x88 _⇐⇒_ Keystream1[SP1 + 1] = Keystream2[SP2 + 1] [�] 0x88 - Keystream1[SP1 + 1] [�] Keystream1[SP1 + 0x401] = 0x08 ----- The amount of data that can be guessed from one set of 1MiB EKS is 1,025 bytes. Now consider the case of two sets. When generating an EKS by dent equations x1 � _y1 =0x80, x2_ � _y2 =0x88 are obtained through EKS._ And suppose that the actual value was x1 =0xFF, y1 =0x7F, x2 =0x23, y2 =0xAB. If we want to know the value of x1 � _x2, we have to know the correct y1_ � _y2_ value. Failure to find the correct y1 � _y2 results in the equation becoming_ that cannot be generated from the EKS. When the correct equation is found, the two sets are chained to form one large set. Finally, it takes (n − 1) × 256 _n. As a result of our experiment, the number of independent sets n was 1_ when a large number of EKS were collected. It was possible to recover a Next, consider the case in which the EKS is obtained from two encrypted among Keystreams for generating EKS1 and EKS2 (Fig. 9). This problem more EKS obtained, the more the number of master key recovered at once ----- **Algorithm 1 Calculation of the non-encrypted data block size** **Require: File_Size** **Ensure: non-encrypted data block size NBS** ``` FS ← File_Size NBS ← 0 ``` **if FS ≤** `0x1000 then return NBS` **else if FS < 0x20000 then** ``` R← FS ≫ 12 ``` **else if FS < 0x100000 then** ``` R← ((FS ≫ 12)*30)/100 ``` **else if FS < 0xA00000 then** ``` R← ((FS ≫ 12)*20)/100 ``` **else if FS < 0x6400000 then** ``` R← ((FS ≫ 12)*10)/100 ``` **else if FS < 0x40000000 then** ``` R← ((FS ≫ 12)*5)/100 ``` **else** ``` R← ((FS ≫ 12)*1)/100 ``` **end if** **if R == 1 then return NBS** **end if** ``` NBS ← (FS-(R ≪ 12))/(R-1) ``` **return NBS** ----- **Algorithm 2 Calculation of the start offsets of Keystream1 and Keystream2** **Require: Infected file name** **Ensure: Keystream offset SP1, SP2** ``` R ← base64urldecode(Filename)[16:] ``` `R1 ←` `byte to int64(R[:8])` _▷little endian_ `R2 ←` `byte to int64(R[8:])` _▷little endian_ ``` SP1 ← R1%0x900000 SP2 ← R2%0x9FFC00 ``` **Algorithm 3 Hive ransomware master key recovery** **Require: Infected files, Original files** **Ensure: Recovered Hive Ransomware master key** _▷Extract to equations using original file and infected file_ **for IF, OF in (Infected files, Original files) do** `NBS ←` `calc_NBS(IF.size)` _▷Using algorithm 1_ `SP1, SP2 ←` `calc_offset(IF.name)` _▷Using algorithm 2_ ``` iter ← IF.size/(0x1000+NBS) offset=0 EQS ← set() ``` **for i ←** `0 · · · iter do` **if i==iter then** `offset ←` `final encryption block offset` _▷See_ ``` Section 3 ``` **end if** **for j ←** `0 · · · 0xFFF do` ``` O1 ← offset%0x100000 O2 ← offset%0x1000 EQS.add(SP1+O1, SP2+O2, IF[offset][�] OF[offset]) ``` _▷IF[offset][�]_ `OF[offset] == byte of EKS` ``` offset+=1 ``` **end for** ``` offset+=NBS ``` **end for** **end for** _▷Extract equation end_ ``` EK ← [None]×0xA00000 ``` $ `E` _←−_ `EQS` $ `EK[E[0]]` _←−_ `{0· · · 255}` ``` EQS ← tuple(EQS) ``` ----- **while Until the EQS size does not change do** **for EQ in EQS do** **if (EK[EQ[0]] == None) and (EK[EQ[1]] == None) then** **Continue** **else if (EK[EQ[0]] != None) and (EK[EQ[1]] == None) then** `EK[EQ[1]] = EK[EQ[0]]` [�] `EK[EQ[2]]` **else if (EK[EQ[0]] == None) and (EK[EQ[1]] != None) then** `EK[EQ[0]] = EK[EQ[1]]` [�] `EK[EQ[2]]` **else if (EK[EQ[0]] != None) and (EK[EQ[1]] != None) then** ``` EQS.pop(EQ) ``` **end if** **end for** **end while** #### 4.2 Experiments files were less than 500KB. When we collected EKS from files larger than times, that is, the amount of EKS that can be collected, varies according to the file size (cf. Table 3). The number of EKS that can be collected varies depending on the NBS; the smaller the file size, the smaller the amount of _EKS that can be collected. Generally, the larger the file size, the larger the_ amount of EKS we can collected, but in some cases the amount of the EKS ----- (± 5KB) (± 15KB) (± 5KB) (± 100KB) (± 100KB) (± 100KB) acquire EKS when using files larger than 0x280A000 bytes. Figure 10 shows the available EKS by file size. ----- of NBS, and found that more effective master key recovery was possible recovered master key. We infected 50,000 files and collected EKS by using 50 files of 40MB size. The master key was recovered through the collected EKS the case of partial success, additional collection of EKS is possible and help ----- ### 5 Conclusions Acknowledgement References [[2] 2020 Vulnerability and Threat Trends Report, https://lp.skyboxs](https://lp.skyboxsecurity.com/WICD-2020-07-WW-VT-Trends_Asset.html) ``` ecurity.com/WICD-2020-07-WW-VT-Trends_Asset.html, accessed: ``` ----- [ransomware, https://www.zdnet.fr/actualites/hopital-de-dax-t](https://www.zdnet.fr/actualites/hopital-de-dax-totalement-bloque-twitter-ultime-recours-face-au-ransomware-39917771.htm) ``` otalement-bloque-twitter-ultime-recours-face-au-ransomware -39917771.htm, accessed: 20-Dec-2021. ``` [[5] UnitingCare Queensland hit by cyber attack, https://www.computer](https://www.computerweekly.com/news/252499835/UnitingCare-Queensland-hit-by-cyber-attack) ``` weekly.com/news/252499835/UnitingCare-Queensland-hit-by-cy ber-attack, accessed: 20-Dec-2021. ``` [[6] Health care giant Scripps Health hit by ransomware attack, https:](https://www.bleepingcomputer.com/news/security/health-care-giant-scripps-health-hit-by-ransomware-attack/) ``` //www.bleepingcomputer.com/news/security/health-care-giant -scripps-health-hit-by-ransomware-attack/, accessed: 20-Dec ``` [[7] Ireland’s Health Services hit with $20 million ransomware demand, ht](https://www.bleepingcomputer.com/news/security/irelands-health-services-hit-with-20-million-ransomware-demand/) ``` tps://www.bleepingcomputer.com/news/security/irelands-heal th-services-hit-with-20-million-ransomware-demand/, accessed: ``` [[8] Dutch supermarkets run out of cheese after ransomware attack, https:](https://www.bleepingcomputer.com/news/security/dutch-supermarkets-run-out-of-cheese-after-ransomware-attack/) ``` //www.bleepingcomputer.com/news/security/dutch-supermark ets-run-out-of-cheese-after-ransomware-attack/, accessed: https://www.bleepingcomputer.com/news/security/jbs-paid-11 -million-to-revil-ransomware-225m-first-demanded/, accessed: ``` [[10] Colonial Pipeline paid $5 million ransom to hackers, https://www.cn](https://www.cnbc.com/2021/05/13/colonial-pipeline-paid-ransom-to-hackers-source-says.html) ``` bc.com/2021/05/13/colonial-pipeline-paid-ransom-to-hackers -source-says.html, accessed: 20-Dec-2021. ``` [[11] RANSOMWARE ACTION PLAN, https://www.homeaffairs.gov.](https://www.homeaffairs.gov.au/cyber-security-subsite/files/ransomware-action-plan.pdf) ``` au/cyber-security-subsite/files/ransomware-action-plan.pdf, ``` [[12] Ransomware: How to prevent and recover (ITSAP.00.099), https://cy](https://cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099) ``` ber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-i tsap00099, accessed: 20-Dec-2021. ``` [[13] Ransomware Awareness for Holidays and Weekends, https://us-cer](https://us-cert.cisa.gov/ncas/alerts/aa21-243a) ``` t.cisa.gov/ncas/alerts/aa21-243a, accessed: 20-Dec-2021. ``` ----- [[14] Indicators of Compromise Associated with Hive Ransomware, https:](https://www.documentcloud.org/documents/21049431-fbi-flash-hiveꠓransomware-iocs) ``` //www.documentcloud.org/documents/21049431-fbi-flash-hiv eêăŞransomware-iocs, accessed: 20-Dec-2021. ``` [months, https://www.bleepingcomputer.com/news/security/h](https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/) ``` ive-ransomware-enters-big-league-with-hundreds-breached-in -four-months/, accessed: 20-Dec-2021. ``` [[16] New ransomware group Hive leaks Altus group sample files, https:](https://cybernews.com/news/new-ransomware-group-hive-leaks-altus-group-sample-files/) ``` //cybernews.com/news/new-ransomware-group-hive-leaks-altus -group-sample-files/, accessed: 20-Dec-2021. https://www.bleepingcomputer.com/news/security/hive-ransom ware-attacks-memorial-health-system-steals-patient-data/, ``` [[18] Hive ransomware group attacks Missouri health center, https://www.](https://www.healthcareitnews.com/news/hive-ransomware-group-attacks-missouri-health-center) ``` healthcareitnews.com/news/hive-ransomware-group-attacks-mi ssouri-health-center, accessed: 20-Dec-2021. ``` [[19] Macquarie Health Corporation hit by Windows Hive ransomware, http](https://itwire.com/security/macquarie-health-corporation-hit-by-windows-hive-ransomware.html) ``` s://itwire.com/security/macquarie-health-corporation-hit-b y-windows-hive-ransomware.html, accessed: 20-Dec-2021. ``` [[20] MediaMarkt hit by Hive ransomware, ransom now at 50 million, https:](https://news.securiwiser.com/mediamarkt-hit-by-hive-ransomware-ransom-now-at-50-million/) ``` //news.securiwiser.com/mediamarkt-hit-by-hive-ransomware-r ansom-now-at-50-million/, accessed: 20-Dec-2021. ``` [Model, RFC 3826 (Jun. 2004). doi:10.17487/RFC3826.](https://www.rfc-editor.org/info/rfc3826) [URL https://www.rfc-editor.org/info/rfc3826](https://www.rfc-editor.org/info/rfc3826) ``` doi: 10.17487/RFC8017. ``` [URL https://www.rfc-editor.org/info/rfc8017](https://www.rfc-editor.org/info/rfc8017) ----- [33] A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, E. Kirda, {UNVEIL}: _{USENIX} Security Symposium ({USENIX} Security 16), 2016, pp._ ----- -----