"White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub.
May 10, 2023
Good news for ransomware victims: Researchers have released a free tool on GitHub that they say can help victims of intermittent encryption attacks recover data from some types of partially encrypted files — without having to pay a ransom for the decryption key.
Intermittent encryption is an approach where a ransomware operator only partially encrypts targeted files—instead of the entire file—to speed up encryption, impact more files, and to make detection harder. In recent months, several ransomware groups including BlackCat and Play have used the approach in attacks on hundreds of organizations worldwide. The victims of these attacks have included hospitals, banks, and universities.
Fortunately for such victims, data in some types of partially encrypted files can be decrypted given the right circumstances, security vendor Cyberark said in a report this week. That's because many file formats including PDF and formats that Microsoft Office adhere to contain certain common parameters, which, even if encrypted, can be reconstructed relatively easily in a manner to make data recovery possible.
For instance, files often have a <Header><Body><Footer> construction, says Andy Thompson, global research evangelist at Cyberark.
"If partial encryption only wipes away the <header> portion of a [PDF for example], and we know that all PDF's headers look the same way, you can piece together the file so that it works again," he says.
As an example, Thompson points to an original file that might have a <Head 123><Body 456> and <Footer 789> construction. If an intermittent ransomware sample only encrypted the header, the encrypted file might have a <head 12><body 456><footer 789> construction. "White Phoenix can identify that <header 12> is <Header 123>, so it replaces the bad header with the good header, and you have a functional file again," he says.