A new ransomware decryptor known as ‘White Phoenix’ allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Several ransomware groups use intermittent encryption, which alternates between encrypting and not encrypting chunks of data.
This method encrypts a file much faster while still rendering the data unusable by the victim.
Sentinel Labs reported in September 2022 that intermittent encryption is gaining traction in the ransomware space, with all major RaaS offering it as an option to affiliates and BlackCat/ALPHV having the most sophisticated implementation.
BlackCat’s intermittent encryption (CyberArk)
However, according to CyberArk, the company that created and published ‘White Phoenix,’ this tactic introduces weaknesses in the encryption because leaving parts of the original files unencrypted createsthe possibility of free data recovery.
BlackCat, Play, ESXiArgs, Qilin/Agenda, and BianLian are examples of ransomware operations that use intermittent encryption.
Recovering partially encrypted files
CyberArk developed White Phoenix after experimenting with partially encrypted PDF files, attempting to recover text and images from stream objects.
PDF’s stream object sample (CyberArk)
Many objects in PDF files remain unaffected in certain BlackCat encryption modes, allowing the data to be extracted, according to the researchers.
In the case of image streams, recovering them is as simple as removing the filters that have been applied.
Text recovery methods include identifying text chunks in streams and concatenating them, as well as reversing hex encoding and CMAP (character mapping) scrambling.
CyberArk discovered similar restoration possibilities for other file formats, including ZIP archives, after successfully recovering PDF files with the White Phoenix tool.
Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods) and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats are supported.
File entries in ZIP archive (CyberArk)
To restore these file types, use 7zip and a hex editor to extract unencrypted XML files from impacted documents and perform data replacement.
For supported file types, White Phoenix automates all of the above steps, though manual intervention may be required in some cases.
The tool is free to download from CyberArk’s public GitHub repository.
Practical limitations
The analysts report that their automated data recovery tool should work well for the mentioned file types encrypted by the following ransomware strains:
- BlackCat/ALPHV
- Play ransomware
- Qilin/Agenda
- BianLian
- DarkBit
However, even if White Phoenix is theoretically supported, it is important to note that it will not produce good results in every case.
For example, if a large portion of a file, including its critical components, has been encrypted, the recovered data may be incomplete or useless.
As a result, the tool’s effectiveness is directly proportional to the extent of the file’s damage.
Except in rare cases where the hex encoding matches the original character values, recovery of text stored as CMAP objects in PDF files is only possible if neither the text nor the CMAP objects are encrypted.
White Phoenix was tested by BleepingComputer with a small sample of ALPHV-encrypted PDF files and Play-encrypted PPTX and DOCX files and was unable to recover any data.
However, CyberArk explained that this could be due to the attacks we received samples from not using intermittent encryption or the files being too heavily encrypted to be properly parsed.
“Depending on the ransomware sample used, various file sizes may be too encrypted to recover data from.
If the following characters do not appear in the file, it is most likely fully encrypted and White Phoenix will be unable to assist “BleepingComputer was informed by CyberArk.
Zip/Office formats must contain the “PKx03x04” string in the file to be supported for White Phoenix to work properly.
In order to be partially recovered, PDFs must also contain “0 obj” and “endobj” strings.
If White Phoenix is unable to locate these strings, it will report that the file type is not supported, as demonstrated below in our limited tests.
While this decryptor may not work for all files, it may be extremely useful for victims attempting to recover “some” data from critical files.
CyberArk invites all security researchers to download and test the tool, as well as contribute to its improvement and expansion of support to more file types and ransomware strains.
