CyberArk has developed and released a new ransomware decryptor called “White Phoenix”. This tool would allow ransomware victims to partially recover files encrypted by ransomware strains that use intermittent encryption.
Intermittent encryption is a new trend recently seen in ransomware clusters, which is nothing more than partial encryption of targeted files. This system has some flaws in the way it proceeds. So, by making use of these flaws, under the right circumstances, that part of the files that were not encrypted could be saved.
In the intermittent encryption process, the attacker refrains from encrypting all files and instead only encrypts part of them, which can be encrypted files, blocks of a fixed size or only the beginning of selected files. There are several reasons why an attacker would use this type of encryption instead of full encryption. However, the most important reason would be time.
The speed of encryption in a partial encryption process is higher, requiring less time for each encrypted file, which allows the attacker to affect more files in a shorter period of time. In contrast to a full encryption, if a ransomware attack were to be intervened and stopped, the number of encrypted files would still be such that the impact of the attack would most likely end up affecting critical files.
Among the ransomware operations that use intermittent encryption we can find: Play, ESXiArgs, Qilin/Agenda, BianLian and BlackCat, also known as ALPHV. The latter being one of the most active and considered by most in the cybersecurity community as the most sophisticated on the market today.
According to CyberArk, the use of this type of encryption introduces some weaknesses to the encryption itself by leaving part of the original files unencrypted. In the case of BlackCat, most encryption modes can potentially leave a significant amount of file content unaffected. This would allow, under the right circumstances, the recovery of data that has not been encrypted.
The development of White Phoenix follows experimentation with partially encrypted PDF files and attempts to recover text and images from stream objects. It was observed that there were several objects in these PDF files that remained unaffected, allowing them to be extracted.
According to CiberArk, image stream retrieval is as simple as removing the applied filters, the opposite is true for text retrieval, since, in the simplest cases, the text is divided into chunks within the stream. For these cases it is required to identify each fragment and concatenate the content of each fragment with each other.
Following the test on PDF files, restoration possibilities were found for other file formats, including Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods) and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp).
Knowledge of the different file formats makes it possible to recover information from documents that have been intermittently encrypted. It is in this context that White Phoenix, a Python script that automates this recovery process, has been developed.
White Phoenix requires two arguments to be executed: the path to the file and the path to the folder where the recovered content will be saved, if the file is compatible, which is done automatically.
LIST OF SUPPORTED RANSOMWARE
- BlackCat/ALPHV
- Play ransomware
- Qilin/Agenda
- BianLian
- DarkBit
LIST OF SUPPORTED FILES
- Word formats: docx, docm, dotx, dotm, odt
- Excel formats: xlsx, xlsm, xltx, xltm, xlsb, xlam, ods
- PowerPoint formats: pptx, pptm, ptox, potm, ppsx, ppsm, odp
- Zip
While the decryptor may not work for all files, it proves to be a very helpful tool when the victim tries to recover some information from critical files. CyberArk invites you to try the tool, and join the joint efforts to improve it and extend its compatibility to more files and ransomware strains.