CyberArk recently released an online version of its open-source White Phoenix ransomware decryptor. With it, the company aims to help ransomware victims get their files back.
With this online version, CyberArk says it should make it easier for anyone to recover large files. This should now be possible even for victims who are less technically inclined and do not know how to use the code.
Against intermittent encryption
This mainly concerns files encrypted in a ransomware attack with so-called intermittent encryption. In this process, hackers encrypt only part of all files to speed up the encryption process.
The ransomware gangs Blackcat/ALPHV, Play, Jilin/Agenda, BianLian, and DarkBit use this technology of intermittent encryption. Therefore, CyberArk’s White Phoenix tool can only help victims of these ransomware gangs.
Online White Phoenix tool
Through this new online version, users can upload encrypted files and then click the “recover” button. After that, the tool ensures that as many files as possible are recoverable, although it may take some time for them to become available again.
Specifically, the tool attempts to reverse the encryption in an automated way rather than doing it manually. In doing so, it helps recover text from documents, among other things, by merging the unencrypted parts and by restoring hex encoding and CMAP scrambling.
The tool’s effectiveness does heavily depend on the type of encryption and ransomware variant used. Therefore, it will not always work perfectly, CyberArk points out. For example, certain strings in the files must be readable for the decryptor to work properly.
Supported files include PDF files, Word and Excel files, ZIP files and PowerPoint files. The maximum file size for the online tool is 10 MB. For decrypting larger files and VMs, users should divert to the GitHub version.
The security specialist also recommends using the GitHub version for sensitive data. Experts should do this locally, however, avoiding sending the sensitive information to CyberArk’s servers.