CyberArk has introduced an online iteration of the ‘White Phoenix,’ an open-source ransomware decryptor designed to counter operations using intermittent encryption. While the tool was previously accessible on GitHub as a Python project, the online version aims to assist less tech-savvy ransomware victims. Utilizing the online White Phoenix involves a straightforward process of uploading files, clicking the “recover” button, and allowing the tool time to restore encrypted data, supporting various file formats like PDFs, Word, Excel, ZIPs, and PowerPoint with a 10MB size limit. However, for larger files or virtual machines, the GitHub version remains the go-to option.
Intermittent encryption is a tactic employed by several ransomware operations to expedite device encryption by partially encrypting victim files. Current ransomware strains using this technique include Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit, and White Phoenix specifically aids victims affected by these strains. Despite the limitations, the decryptor attempts to recover text in documents through various techniques like concatenating unencrypted parts, reversing hex encoding, and CMAP scrambling, resembling manual restoration methods used by experts. While not guaranteed to restore entire systems, White Phoenix serves as a valuable attempt to recover essential files for victims with limited restoration options.
