This is really cool! Also cool that their approach to decrypting involves generating and solving equations from the data. The paper includes example pseudocode. Snippet from section 3: - EKS[i]← Keystream1[i] T Keystream2[i%0x400] (i← 0,1,···,0xFFFFF) - Encrypted data← Data[offset] T EKS[offset%0x100000 Intro to section 4: In this section, we describe a file decryption method for the Hive ransomware using a cryptographic vulnerability. The Hive ransomware extracts two keystreams for file encryption from the master key, which is generated once at the beginning of each file encryption. The two keystreams are used to generate an EKS, and EKS encrypts the data using XOR. EKS looks random, but the keystream to generate EKS is partially reused when encrypting various files. The encryption algorithm is an XOR operation, and the algorithm that generates EKS is also XOR; therefore, it becomes easy to guess the keystreams. We obtained equations consisting of XOR operations from encrypted files, and found the master key by solving the equations. Our method to obtain the equations requires one of the following conditions: - Some of the original files corresponding to encrypted files should be available. - There should be several encrypted files with known signatures, such as .pdf, .xlsx, or .hwp. The main ways in which the original files corresponding to encrypted files can be obtained are described below. Unlike other ransomware, the Hive ransomware encrypts the Program files, Program files (x86), and ProgramData directories, which commonly store software files (Java, Python, Microsoft Office, and others) that are not related to the operating system. Therefore,we could easily obtain the original unencrypted files, as these software installation files can be obtained on the internet. Backup, synchronizing, and downloading files, and email attachments could also be utilized. By XORing the original and the encrypted file we can obtain the EKS. It is also possible to determine the EKS without the original unencrypted files. In this case, we use known file signatures. However, file signatures are short in comparison with the file data, therefore, many files with known signatures are required. Random snippet from farther down section 4: As each set forms one simultaneous equation, if one byte of Keystream2 is guessed, 0x400 values are also determined by solving the equation. That is, if one EKS is used, a maximum value of 1,025 bytes of the master key can be determined by guessing one byte (Fig. 8)