Online ransomware decryptor helps recover partially encrypted files

CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.

The company announced today that although the tool was already freely available through GitHub as a Python project, they felt an online version was needed for the less tech-savvy ransomware victims who don't know how to work with the code.

Using the online White Phoenix is as simple as uploading files, hitting the "recover" button, and allowing the tool some time to restore whatever it can.

Currently, the tool supports PDFs, Word and Excel document files, ZIPs, and PowerPoint. Also, the online version has a file size limit of 10MB, so if you're looking to decrypt larger files or virtual machines (VMs), the GitHub version is the only way to go.

Intermittent encryption opportunities

Intermittent encryption is a method used by many ransomware operations to speed up the encryption of devices by only partially encrypting the victim's files.

Current ransomware strains employing intermittent encryption include Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. Therefore, White Phoenix can only help victims hit by those strains.

Using intermittent encryption, threat actors can speed up their attacks while still leaving victims without a way to restore their data without paying.

However, intermittent encryption comes with a weakness, as it leaves significant chunks of unencrypted data in a file. If these chunks of unencrypted data contain useful information, especially at the start and end of the file, the chances for successfully rebuilding and restoring the file without paying for a decryptor is increased.

White Phoenix attempts to recover text in documents by concatenating unencrypted parts and by reversing hex encoding and CMAP (character mapping) scrambling.

White Phoenix is basically a tool that automates manual restoration used by data restoration experts, so depending on the file type and ransomware, the decryptor may not work particularly well.

CyberArk previously told BleepingComputer that certain strings need to be readable in the files depending on their type for the decryptor to work correctly. For example, ZIP files must contain the "PK\x03\x04" string, and PDFs need to contain "0 obj" and "endobj."

For PDFs that contain image files, CyberArk suggests checking the "separate files" option for more reliable results.

Even if White Phoenix cannot help restore entire systems, it could still help restore valuable files or at least retrieve some data from them.

There are currently no working decryptors for the mentioned ransomware families, so restoration options are severely limited, making White Phoenix worth a try.

Note that if you're working with sensitive information, it would be recommended to download White Phoenix from GitHub and use it locally rather than uploading sensitive documents to CyberArk's servers.