Date: 11 May 2023

Threat Actor

• BlackCat/ALPHV

• Play ransomware

• Qilin/Agenda

• BianLian

• DarkBit

Description

A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

CyberArk developed White Phoenix after experimenting with partially encrypted PDF files, attempting to recover text and images from stream objects. In certain BlackCat encryption modes, many objects in PDF files remain unaffected, allowing the data to be extracted. In the case of image streams, recovering them is as simple as removing the applied filters. In the case of text recovery, the restoration methods include identifying text chunks in the streams and concatenating them or reversing hex encoding and CMAP (character mapping) scrambling.

CyberArk found similar restoration possibilities for other file formats, including files based on ZIP archives. These files using the ZIP format include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats.

The analysts report that their automated data recovery tool should work well for the mentioned file types encrypted by the following ransomware strains:

• BlackCat/ALPHV

• Play ransomware

• Qilin/Agenda

• BianLian

• DarkBit

Reference

https://github.com/cyberark/White-Phoenix https://www.bleepingcomputer.com/news/security/new-ransomware-decryptor-recovers-data-from-partially-encrypted-files/