CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.
The company announced today that although the tool was already freely available through GitHub as a Python project, they felt an online version was needed for the less tech-savvy ransomware victims who don't know how to work with the code.
Currently, the tool supports PDFs, Word and Excel document files, ZIPs, and PowerPoint.
The online version has a file size limit of 10MB, so if you're looking to decrypt larger files or virtual machines, the GitHub version is the only way to go.
Intermittent encryption is a method used by many ransomware operations to speed up the encryption of devices by only partially encrypting the victim's files.
Current ransomware strains employing intermittent encryption include Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit.
White Phoenix can only help victims hit by those strains.
Using intermittent encryption, threat actors can speed up their attacks while still leaving victims without a way to restore their data without paying.
Intermittent encryption comes with a weakness, as it leaves significant chunks of unencrypted data in a file.
If these chunks of unencrypted data contain useful information, especially at the start and end of the file, the chances for successfully rebuilding and restoring the file without paying for a decryptor is increased.
White Phoenix attempts to recover text in documents by concatenating unencrypted parts and by reversing hex encoding and CMAP scrambling.
White Phoenix is basically a tool that automates manual restoration used by data restoration experts, so depending on the file type and ransomware, the decryptor may not work particularly well.
CyberArk previously told BleepingComputer that certain strings need to be readable in the files depending on their type for the decryptor to work correctly.
Even if White Phoenix cannot help restore entire systems, it could still help restore valuable files or at least retrieve some data from them.
There are currently no working decryptors for the mentioned ransomware families, so restoration options are severely limited, making White Phoenix worth a try.
Note that if you're working with sensitive information, it would be recommended to download White Phoenix from GitHub and use it locally rather than uploading sensitive documents to CyberArk's servers.
Decryptor for Babuk ransomware variant released after hacker arrested.
New Black Basta decryptor exploits ransomware flaw to recover files.
Energy giant Schneider Electric hit by Cactus ransomware attack.
Ransomware payments drop to record low as victims refuse to pay.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 30 Jan 2024 22:05:23 +0000