A method for Decrypting Data infected with Ransomware

[Undiscussed Horrific Abuse, One Victim of Many]

This is really cool! Also cool that their approach to decrypting
involves generating and solving equations from the data. The paper
includes example pseudocode.

Snippet from section 3:

- EKS[i]← Keystream1[i] T Keystream2[i%0x400] (i← 0,1,···,0xFFFFF)
- Encrypted data← Data[offset] T EKS[offset%0x100000

Intro to section 4:

In this section, we describe a file decryption method for the Hive
ransomware using a cryptographic vulnerability. The Hive ransomware
extracts two keystreams for file encryption from the master key, which
is generated once at the beginning of each file encryption. The two
keystreams are used to generate an EKS, and EKS encrypts the data
using XOR. EKS looks random, but the keystream to generate EKS is
partially reused when encrypting various files. The encryption
algorithm is an XOR operation, and the algorithm that generates EKS is
also XOR; therefore, it becomes easy to guess the keystreams. We
obtained equations consisting of XOR operations from encrypted files,
and found the master key by solving the equations. Our method to
obtain the equations requires one of the following conditions:

- Some of the original files corresponding to encrypted files should
be available.
- There should be several encrypted files with known signatures, such
as .pdf, .xlsx, or .hwp.

The main ways in which the original files corresponding to encrypted
files can be obtained are described below. Unlike other ransomware,
the Hive ransomware encrypts the Program files, Program files (x86),
and ProgramData directories, which commonly store software files
(Java, Python, Microsoft Office, and others) that are not related to
the operating system. Therefore,we could easily obtain the original
unencrypted files, as these software installation files can be
obtained on the internet. Backup, synchronizing, and downloading
files, and email attachments could also be utilized. By XORing the
original and the encrypted file we can obtain the EKS. It is also
possible to determine the EKS without the original unencrypted files.
In this case, we use known file signatures. However, file signatures
are short in comparison with the file data, therefore, many files with
known signatures are required.

Random snippet from farther down section 4:

As each set forms one simultaneous equation, if one byte of Keystream2
is guessed, 0x400 values are also determined by solving the equation.
That is, if one EKS is used, a maximum value of 1,025 bytes of the
master key can be determined by guessing one byte (Fig. 8)