The new "White Phoenix" decryptor allows victims of ransomware attacks to partially recover their files. The development is aimed primarily at decrypting data to which the so-called "discontinuous encryption" has been applied.
With discontinuous encryption, the source data is divided into certain blocks, which are encrypted one by one at a certain interval. Unlike other encryption methods, it does not require the creation of additional data blocks or the use of placeholders. Discontinuous encryption allows victims' data to be processed extremely quickly, while making it completely unusable.
In September 2022, Sentinel Labs reported that discontinuous encryption is gaining traction in the ransomware space, with all major gangs offering it as at least an option to their customers, with the notorious ALPHV/BlackCat faction appearing to have the most sophisticated implementation of this type of encryption.
According to CyberArk, the company that actually developed and published the White Phoenix decryptor, the speed-enhancing ciphering tactic introduces certain flaws in the process itself, leaving many unencrypted blocks of source files, which creates the potential for free recovery.
Ransomware operations using discontinuous encryption that White Phoenix can be used against include:
- Qilin / Agenda;
CyberArk was able to find the right White Phoenix algorithm after experimenting with partially encrypted PDF files. The researchers found that in certain encryption modes of the BlackCat ransomware, many objects in PDF files remained unaffected, which made it possible to extract data from them.
After successfully recovering PDF files, CyberArk experts discovered similar recovery options for other data formats, including files that function like ZIP archives. These files include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods) and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) documents.
Recovery of these file types is achieved using 7zip and a hex editor to extract unencrypted XML files of corrupted documents and then replace the data. White Phoenix automates all of the above steps for supported file types, although manual intervention may be required in some cases.
It's important to note that White Phoenix doesn't always produce good results, even if it can theoretically decrypt the file. For example, if most of the file was encrypted, including critical components, the recovered data may be incomplete or useless. Therefore, the effectiveness of the tool is directly related to the degree of damage to the file.
White Phoenix is already available for free download from the CyberArk public repository on GitHub.