Security firm CyberArk has developed an online version of its White Phoenix decryptor, designed to help make it easier for victims to decrypt encrypted files. This can help victims of specific ransomware attacks recover files without downloading a GitHub repository.
To use the online version of White Phoenix, a user must simply upload an encrypted file to the website, click the "Recover" button, and allow the website some time to decrypt. Currently, the tool supports PDFs, Word and Excel document files, ZIP files, and PowerPoint presentations
Further, the online version has a file size limit of 10 MB. If you need to decrypt larger files or virtual machines, you must first download the tool provided on GitHub.
The tool has been developed to counter ransomware strains that use intermittent encryption. Ransomware strains like BlackCat, Play, Agenda, BianLian, and DarkBit. It is important to note that White Phoenix can only help victims who have suffered attacks by the above-listed ransomware strains.
Intermittent encryption relies on the malware only partially encrypting targeting files. There are two main advantages to this approach, as noted by security firm Sentinel One:
- Speed: Encryption can be a time-intensive process, and time is crucial to ransomware operators – the faster they encrypt the victims' files, the less likely they are to be detected and stopped. Intermittent encryption does irretrievable damage in a concise time frame.
- Evasion: Ransomware detection systems may use statistical analysis to detect ransomware operations. Such an analysis may evaluate the intensity of file IO operations or the similarity between a known file version that has not been affected by ransomware and a suspected modified, encrypted version of the file. In contrast to full encryption, intermittent encryption helps to evade such analyses by exhibiting a significantly lower intensity of file IO operations and much higher similarity between non-encrypted and encrypted versions of a given file.
The first ransomware strain seen to use this technique was LockFile. The encryption module would encrypt every other 16 bytes of a file. This was done primarily for evasion purposes, and many different ransomware strains began implementing the technique.
For those looking to use White Phoenix, there are some important considerations. The tool attempts to recover text in documents by concatenating unencrypted parts, then reversing hex encoding and CMAP (character mapping) scrambling.
A different way to think about it is that the tool automates manual restoration techniques used by data restoration experts. This means that the decryptor may not work particularly well depending on the file type and ransomware.
...that certain strings need to be readable in the files depending on their type for the decryptor to work correctly. For example, ZIP files must contain the "PK\x03\x04" string, and PDFs need to contain '0 obj' and 'endobj.'
Bleeping Computer also noted the following regarding the more effective use of the tool,
For PDFs that contain image files, CyberArk suggests checking the 'separate files' option for more reliable results. Even if White Phoenix cannot help restore entire systems, it could still help restore valuable files or at least retrieve some data from them…Note that if you're working with sensitive information, it would be recommended to download White Phoenix from GitHub and use it locally rather than uploading sensitive documents to CyberArk's servers.
In a blog post published by CyberArk, the development of White Phoenix was a result of the Play ransomware increasing its victim base. The security firm first detected the ransomware in December 2022 when threat actors carried out an attack on Antwerp's local government.
At the time of the discovery, researchers soon found that they were employing a ProxyNotShell exploit that bypassed the Microsoft mitigations that were available at the time.
Play does not operate as a ransomware-as-a-service (RaaS) as many other prominent ransomware gangs do. However, the Play threat actors employ the double extortion tactic of threatening to release stolen data if the ransom demands are unmet.
The ransomware gang has been known to use both new and old vulnerabilities to compromise machines. Ensuring updates to software and hardware are done timeously can help prevent a Play infection, especially when threat actors use older exploits.
Other mitigation strategies include requiring Multi-factor Authentication (MFA) and phishing awareness training. Further, it is strongly advised that regular backups be done; this makes recovery easier if the worst is to happen, and enforcing the least privilege policy can prevent the lateral spread of ransomware.