New Ransomware 'White Phoenix' Decryptor
New ransomware decryptor recovers data from partially encrypted files
Last updated
New ransomware decryptor recovers data from partially encrypted files
Last updated
Date: 11 May 2023
BlackCat/ALPHV
Play ransomware
Qilin/Agenda
BianLian
DarkBit
A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.
Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.
CyberArk developed White Phoenix after experimenting with partially encrypted PDF files, attempting to recover text and images from stream objects. In certain BlackCat encryption modes, many objects in PDF files remain unaffected, allowing the data to be extracted. In the case of image streams, recovering them is as simple as removing the applied filters. In the case of text recovery, the restoration methods include identifying text chunks in the streams and concatenating them or reversing hex encoding and CMAP (character mapping) scrambling.
CyberArk found similar restoration possibilities for other file formats, including files based on ZIP archives. These files using the ZIP format include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats.
The analysts report that their automated data recovery tool should work well for the mentioned file types encrypted by the following ransomware strains:
BlackCat/ALPHV
Play ransomware
Qilin/Agenda
BianLian
DarkBit
https://github.com/cyberark/White-Phoenix https://www.bleepingcomputer.com/news/security/new-ransomware-decryptor-recovers-data-from-partially-encrypted-files/