DecryptedTech

Friday19 August 2022

Flaws, they’re not Just for Attackers Anymore as Researchers Find a way to Recover the Master Key for Hive Ransomware


Reading time is around minutes.

There is an old saying that say, what someone can lock, someone else can unlock. This is usually used regarding attackers getting into a network or compromising protected data. It is not often applied to security researchers unlocking information encrypted by a major ransomware threat group. However, this is exactly what has happened as researchers at Kookmin University in South Korea say they have utilized a flaw in the encryption method used by Hive Ransomware to find a way to unlock it.

Hive is a Ransomware as a Service group that allows others to pay to access their ransomware strains for money. Have has made the use of their platform so simple that its usage has increased significantly. Once a new client has registered with the platform, they can then register their targets and create their own strain of ransomware very quickly. It is remarkably like the deal registration and deployment for many current security tools. The most common method of deployment is spear-phishing, so it is very effective at compromising target groups (despite aggressive security awareness training schedules).

Although each malware package is unique to the client deploying it, the core encryption methods are the same. The researchers found, through their analysis, a vulnerability that allowed them to recover as much as 95% of the keys used in the encryption process. This is a huge win for companies that are being held hostage by this type of Ransomware although it is not the whole story. Hive is among the family of Ransomware that also exfiltrates data as it encrypts it. This means that even if a company can recover data (from backup or through decryption) they will likely face a second ransom demand from the exfiltrated files.

Ransomware is going to continue to be a major threat to organizations and Ransomware as a Service groups are likely to grow in number over the next few years. This is the trend that we are seeing as security and disaster recovery processes and policies are not where they should be. To slow the spread of ransomware attacks, companies need to take steps to ensure that users are properly educated in how to spot and report potentially malicious emails. They also need to spend the time, and money, to ensure that backups are not compromised. Many ransomware strains look to pause or corrupt backups as part of the attack chain so making sure these vital components of disaster recovery are protected is vital.

Modern methods of malware detection and response need to be put in place (behavior and math based) to help stop infections before they can even start encrypting files. Data Loss Prevention applications can also be used to identify and stop rapid file changes as well. Setting up rules in firewalls to detect and stop exfiltration attempts such as looking for certain file types and sizes and sessions connecting to unusual IP addresses or ranges. Finally, users of Microsoft Office products can restrict how office applications handle requests to spawn child processes (such as calling MSHTA or PowerShell), this can limit the use of Macros or VBA code in emails received and many other things to reduce the risk of a ransomware infection in the first place.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.