New ransomware decryptor recovers knowledge from partially encrypted information

A brand new ‘White Phoenix’ ransomware decryptor permits victims to partially get well information encrypted by ransomware strains that use intermittent encryption.

Intermittent encryption is a technique employed by a number of ransomware teams that alternates between encrypting and never encrypting chunks of information. This methodology permits a file to be encrypted a lot quicker whereas nonetheless leaving the info unusable by the sufferer.

In September 2022, Sentinel Labs reported that intermittent encryption is gaining traction within the ransomware area, with all massive RaaS providing it a minimum of as an choice to associates and BlackCat/ALPHV having seemingly probably the most refined implementation.

BlackCat's intermittent encryption
BlackCat’s intermittent encryption (CyberArk)

Nonetheless, in line with CyberArk, which developed and revealed ‘White Phoenix,’ this tactic introduces weaknesses to the encryption, as leaving components of the unique information unencrypted creates the potential without cost knowledge restoration.

Ransomware operations that use intermittent encryption embody BlackCat, Play, ESXiArgs, Qilin/Agenda, and BianLian.

Recovering partially encrypted information

CyberArk developed White Phoenix after experimenting with partially encrypted PDF information, trying to get well textual content and pictures from stream objects.

PDF's stream object sample
PDF’s stream object pattern (CyberArk)

The researchers discovered that in sure BlackCat encryption modes, many objects in PDF information stay unaffected, permitting the info to be extracted.

Within the case of picture streams, recovering them is so simple as eradicating the utilized filters.

Within the case of textual content restoration, the restoration strategies embody figuring out textual content chunks within the streams and concatenating them or reversing hex encoding and CMAP (character mapping) scrambling.

After efficiently recovering PDF information utilizing the White Phoenix software, CyberArk discovered related restoration potentialities for different file codecs, together with information primarily based on ZIP archives.

These information utilizing the ZIP format embody Phrase (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) doc codecs.

File entries in ZIP archive
File entries in ZIP archive (CyberArk)

Restoration for these file varieties is achieved by utilizing 7zip and a hex editor to extract the unencrypted XML information of impacted paperwork and carry out knowledge substitute.

White Phoenix automates all of the above steps for supported file varieties, though guide intervention may be required in some instances.

The software is accessible to obtain without cost from CyberArk’s public GitHub repository.

Sensible limitations

The analysts report that their automated knowledge restoration software ought to work effectively for the talked about file varieties encrypted by the next ransomware strains:

  • BlackCat/ALPHV
  • Play ransomware
  • Qilin/Agenda
  • BianLian
  • DarkBit

Nonetheless, it’s important to notice that White Phoenix is not going to produce good ends in each case, even when it is theoretically supported.

For instance, if a big portion of a file has been encrypted, together with its crucial parts, the recovered knowledge could also be incomplete or ineffective. Therefore, the software’s effectiveness is straight linked to the extent of the injury to the file.

For instances the place textual content is saved as CMAP objects in PDF information, the restoration is just doable if neither the textual content nor the CMAP objects are encrypted, apart from uncommon instances the place the hex encoding matches the unique character values.

BleepingComputer examined White Phoenix with a small pattern of ALPHV-encrypted PDF information and Play-encrypted PPTX and DOCX information and was unable to get well any knowledge utilizing the software. 

Nonetheless, CyberArk defined that this could possibly be brought on by intermittent encryption not getting used within the assaults we acquired samples from or the information being too closely encrypted to be correctly parsed.

“Relying on the particular ransomware pattern getting used, totally different file sizes may be too encrypted to get well knowledge from. If the next characters aren’t seen within the file, it’s probably absolutely encrypted and White Phoenix will not be capable to assist,” CyberArk instructed BleepingComputer.

For White Phoenix to work appropriately, Zip/Workplace codecs should comprise the “PKx03x04” string within the file to be supported. As well as, PDFs have to comprise “0 obj” and “endobj” strings to be partially recovered.

If White Phoenix can’t discover these strings, it’ll state that the file sort shouldn’t be supported, as proven under in our restricted assessments.

Testing White Phoenix against a Play-encrypted file
Testing White Phoenix in opposition to a Play-encrypted file
Supply: BleepingComputer

Whereas this decryptor might not work for all information, it could possibly be very useful for victims to try to get well “some” knowledge from crucial information.

CyberArk invitations all safety researchers to obtain and take a look at the software and be part of the trouble to enhance it and assist lengthen its help to extra file varieties and ransomware strains.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles