Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Now, to restore files, just upload them to the service and click one button.
CyberArk released online version of its White Phoenix tool, a free decryptor for files that have been attacked by ransomware and are encoded using intermittent encryption.
The tool was first introduced back in May last year, but it existed all this time only as a Python project hosted on the GitHub platform.
CyberArk decided that victims of ransomware who do not have technical skills need an online version to simplify the file recovery process.
Using the online version of White Phoenix is very simple — you just need to download the encrypted files, click "restore" and wait for the tool to restore the data, if possible.
Currently, ZIP, PDF files are supported, as well as most of the main office document formats created in Word, Excel, and PowerPoint. However, there are also limits on the file size — 10 MB. For larger files and VMs, you still need to use the version with GitHub .
Intermittent encryption — a method to speed up data encryption on the device by skipping some blocks of each file. This method is used by ransomware families such as Blackcat / ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. Consequently, White Phoenix covers a fairly large layer of cybercrime with encryption, but it is unlikely to be able to help if any other ransomware programs were used in the attack.
The development of the decryptor itself was made possible by the presence of a vulnerability in the intermittent encryption method — significant unencrypted fragments remain inside each file. If these fragments contain useful information, especially at the beginning and end of the file, the probability of successful recovery without paying a ransom is significantly increased.
White Phoenix attempts to recover text in documents by combining unencrypted parts, as well as reversing hexadecimal encoding and permuting characters.
The effectiveness of the tool depends on the file type and the ransomware used. White Phoenix actually automates manual recovery used by cybersecurity experts.
According to CyberArk, to successfully restore files of a certain type, they must read specific lines. For example, ZIP should contain the string "PK\\x03\\x04", while PDF should contain "0 obj" and "endobj".
Even if White Phoenix can't recover the files completely, the tool can still be useful for extracting at least some of the valuable data. Be that as it may, there are simply no other working decryptors for the mentioned ransomware families other than White Phoenix right now. However, experts rate the existing implementation quite highly.
When working with highly confidential information, just in case, it is recommended to download White Phoenix from GitHub and use it locally, without uploading sensitive documents to external servers, in order to avoid unlikely, but extremely unpleasant surprises in the future.
CyberArk released online version of its White Phoenix tool, a free decryptor for files that have been attacked by ransomware and are encoded using intermittent encryption.
The tool was first introduced back in May last year, but it existed all this time only as a Python project hosted on the GitHub platform.
CyberArk decided that victims of ransomware who do not have technical skills need an online version to simplify the file recovery process.
Using the online version of White Phoenix is very simple — you just need to download the encrypted files, click "restore" and wait for the tool to restore the data, if possible.
Currently, ZIP, PDF files are supported, as well as most of the main office document formats created in Word, Excel, and PowerPoint. However, there are also limits on the file size — 10 MB. For larger files and VMs, you still need to use the version with GitHub .
Intermittent encryption — a method to speed up data encryption on the device by skipping some blocks of each file. This method is used by ransomware families such as Blackcat / ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. Consequently, White Phoenix covers a fairly large layer of cybercrime with encryption, but it is unlikely to be able to help if any other ransomware programs were used in the attack.
The development of the decryptor itself was made possible by the presence of a vulnerability in the intermittent encryption method — significant unencrypted fragments remain inside each file. If these fragments contain useful information, especially at the beginning and end of the file, the probability of successful recovery without paying a ransom is significantly increased.
White Phoenix attempts to recover text in documents by combining unencrypted parts, as well as reversing hexadecimal encoding and permuting characters.
The effectiveness of the tool depends on the file type and the ransomware used. White Phoenix actually automates manual recovery used by cybersecurity experts.
According to CyberArk, to successfully restore files of a certain type, they must read specific lines. For example, ZIP should contain the string "PK\\x03\\x04", while PDF should contain "0 obj" and "endobj".
Even if White Phoenix can't recover the files completely, the tool can still be useful for extracting at least some of the valuable data. Be that as it may, there are simply no other working decryptors for the mentioned ransomware families other than White Phoenix right now. However, experts rate the existing implementation quite highly.
When working with highly confidential information, just in case, it is recommended to download White Phoenix from GitHub and use it locally, without uploading sensitive documents to external servers, in order to avoid unlikely, but extremely unpleasant surprises in the future.
