A new “White Phoenix” ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and unencrypting blocks of data. This method encrypts a file much faster while leaving the data unusable by the victim.

In September 2022, Sentinel Labs reported that intermittent encryption is gaining ground in the ransomware space, with all major RaaS offering it at least as an option to affiliates and BlackCat/ALPHV apparently having the most sophisticated implementation.

However, according to CyberArk, which developed and published “White Phoenix”, this tactic introduces weaknesses in encryption, as leaving parts of the original files unencrypted creates the potential for gratuitous data recovery.

Ransomware operations that use intermittent encryption include BlackCat, Play, ESXiArgsQilin/Agenda and BianLian.

Recovery of partially encrypted files

CyberArk developed White Phoenix after experimenting with partially encrypted PDF files, trying to recover text and images from stream objects.

THE the researchers found that in some BlackCat encryption modes, many objects in PDF files are unaffected, allowing the data to be extracted.

In the case of image streams, recovering them is as simple as removing applied filters.

In the case of text recovery, restoration methods include identifying chunks of text in streams and concatenating or reversing hex encoding and CMAP (character mapping) scrambling.

After successfully recovering PDF files using the White Phoenix tool, CyberArk found similar recovery possibilities for other file formats, including files based on ZIP archives.

These files using the ZIP format include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods) and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm , odp) document formats.

Restoration of these file types is achieved by using 7zip and a hex editor to extract unencrypted XML files from impacted documents and perform data replacement.

White Phoenix automates all of the above steps for supported file types, although manual intervention may be required in some cases.

The tool is available as a free download from CyberArk’s public GitHub repository.

Practical limits

Analysts report that their automated data recovery tool should work well for the mentioned file types encrypted by the following ransomware strains:

• BlackCat/ALPHV
• Play ransomware
• Qilin/Diary
• BianLian
• DarkBit

However, it is essential to note that White Phoenix will not produce good results in all cases, even if it is theoretically supported.

For example, if a large portion of a file has been encrypted, including its critical components, the recovered data may be incomplete or useless. Thus, the effectiveness of the tool is directly related to the extent of damage to the record.

In cases where text is stored as CMAP objects in PDF files, retrieval is only possible if neither the text nor the CMAP objects are encrypted, except in rare cases where the hexadecimal encoding matches the values original characters.

BleepingComputer tested White Phoenix with a small sample of ALPHV encrypted PDF files and Play encrypted PPTX and DOCX files and could not recover any data using the tool.

However, CyberArk explained that this could be because intermittent encryption is not used in the attacks we received samples from or the files are too heavily encrypted to properly analyze.

“Depending on the specific ransomware sample used, different file sizes may be too encrypted to recover data. If the following characters are not visible in the file, it is likely fully encrypted and White Phoenix cannot help you,” CyberArk told BleepingComputer.

For White Phoenix to work properly, Zip/Office formats must contain the string “PK\x03\x04” in the file to be supported. Additionally, PDFs must contain the strings “0 obj” and “endobj” to be partially recovered.

If White Phoenix cannot find these strings, it will indicate that the file type is not supported, as shown below in our limited testing.

Although this decryptor may not work for all files, it could be very useful for victims to try to recover “some” data from critical files.

CyberArk invites all security researchers to download and try the tool and join the effort to improve it and help expand its support for more file types and ransomware strains.