Free Tool Unlocks Some Encrypted Data in Ransomware Attacks

"White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub.

Good news for ransomware victims: Researchers have released a free tool on GitHub that they say can help victims of intermittent encryption attacks recover data from some types of partially encrypted files — without having to pay a ransom for the decryption key.

Intermittent encryption is an approach where a ransomware operator only partially encrypts targeted files—instead of the entire file—to speed up encryption, impact more files, and to make detection harder. In recent months, several ransomware groups including BlackCat and Play have used the approach in attacks on hundreds of organizations worldwide. The victims of these attacks have included hospitals, banks, and universities.

Fortunately for such victims, data in some types of partially encrypted files can be decrypted given the right circumstances, security vendor Cyberark said in a report this week. That's because many file formats including PDF and formats that Microsoft Office adhere to contain certain common parameters, which, even if encrypted, can be reconstructed relatively easily in a manner to make data recovery possible.

For instance, files often have a <Header><Body><Footer> construction, says Andy Thompson, global research evangelist at Cyberark.

"If partial encryption only wipes away the <header> portion of a [PDF for example], and we know that all PDF's headers look the same way, you can piece together the file so that it works again," he says.

As an example, Thompson points to an original file that might have a <Head 123><Body 456> and <Footer 789> construction. If an intermittent ransomware sample only encrypted the header, the encrypted file might have a <head 12><body 456><footer 789> construction. "White Phoenix can identify that <header 12> is <Header 123>, so it replaces the bad header with the good header, and you have a functional file again," he says.

White Phoenix

Cyberark built a tool it calls "White Phoenix" that automates the process of recovering data from intermittently encrypted documents in various file formats. These include PDF; Word formats such as docx and docm; Excel formats such as xlxm, xltx, and extm; PowerPoint formats such as pptx, pptm, and ptox; and Zip. All that White Phoneix needs is the path to the partially encrypted file and a path to a folder to save recovered content, Cyberark said.

"Just like there are many tools to help recover data from corrupted files, there can be tools to recover data from files that have undergone intermittent encryption," the security vendor said. It's available via GitHub.

Cyberark researchers tested White Phoenix against documents that BlackCat had encrypted; they believe it can work on files that other malware tools such as Play, Qilin, BianLian, and DarkBit might only partially encrypt.

"For White Phoenix to recover partially encrypted files, there needs to be unencrypted parts of the data that can be salvaged, "Thompson says. "If we are able to repair or replace the portions of the damaged files, we may be able to recover the data contained in the file."

Blurred Lines

Intermittent encryption is a trend that, in a sense, started with LockBit ransomware in 2021. In a report last September, researchers from SentinelOne described how their analysis of LockFile showed the malware encrypting only every other 16 bytes of a file. They found the threat actor encrypting files just enough to make them unusable so they could infect more systems in a shorter time frame than would be possible with full disk encryption.

Since LockFile, several other threat actors have adopted intermittent encryption as well because the approach also gives them an opportunity to sneak their malware past detection systems designed to look at the amount of content being written to disk.

In BlackCat's case, Cyberark discovered the malware is configured with six possible encryption modes. The malware, for instance, can do full file encryption or it can encrypt just the head of the file. BlackCat can also break files into equal sized chunks and then encrypt the first few bytes of each chunk or encrypt them differently depending on the size and type of file.

"Intermittent encryption starts to blur the line between corrupting files and making files truly unusable," Cyberark said. But "just like there are many tools to help recover data from corrupted files, there can be tools to recover data from files that have undergone intermittent encryption."

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading