2 min Security

CyberArk releases online ransomware decryptor

CyberArk releases online ransomware decryptor

CyberArk recently released an online version of its open-source White Phoenix ransomware decryptor. With it, the company aims to help ransomware victims get their files back.

CyberArk’s White Phoenix ransomware decryptor was already available as a Python project on GitHub, but the security company has now released it as an online version as well.

With this online version, CyberArk says it should make it easier for anyone to recover large files. This should now be possible even for victims who are less technically inclined and do not know how to use the code.

Against intermittent encryption

This mainly concerns files encrypted in a ransomware attack with so-called intermittent encryption. In this process, hackers encrypt only part of all files to speed up the encryption process.

The ransomware gangs Blackcat/ALPHV, Play, Jilin/Agenda, BianLian, and DarkBit use this technology of intermittent encryption. Therefore, CyberArk’s White Phoenix tool can only help victims of these ransomware gangs.

White phoenix ransomware-hersteltool.

Online White Phoenix tool

Through this new online version, users can upload encrypted files and then click the “recover” button. After that, the tool ensures that as many files as possible are recoverable, although it may take some time for them to become available again.

Specifically, the tool attempts to reverse the encryption in an automated way rather than doing it manually. In doing so, it helps recover text from documents, among other things, by merging the unencrypted parts and by restoring hex encoding and CMAP scrambling.


The tool’s effectiveness does heavily depend on the type of encryption and ransomware variant used. Therefore, it will not always work perfectly, CyberArk points out. For example, certain strings in the files must be readable for the decryptor to work properly.

Supported files include PDF files, Word and Excel files, ZIP files and PowerPoint files. The maximum file size for the online tool is 10 MB. For decrypting larger files and VMs, users should divert to the GitHub version.

The security specialist also recommends using the GitHub version for sensitive data. Experts should do this locally, however, avoiding sending the sensitive information to CyberArk’s servers.

Also read: FBI releases decryption tool for ALPHV/BlackCat ransomware victims