Cyber Security Threat Summary:
“A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim. In September 2022, Sentinel Labs reported that intermittent encryption is gaining traction in the ransomware space, with all big RaaS offering it at least as an option to affiliates and BlackCat/ALPHV having seemingly the most sophisticated implementation” (Bleeping Computer, 2023).

White Phoenix was developed by CyberArk when the company was experimenting partially encrypted PDF files, attempting to recover text and images from stream objects. During the experimentation, researchers found out that many objects in PDF files remain unaffected in certain BlackCat encryption modes.

In the case of image streams, recovering them is as simple as removing the applied filters. In the case of text recovery, the restoration methods include identifying text chunks in the streams and concatenating them or reversing hex encoding and CMAP (character mapping) scrambling” (Bleeping Computer, 2023).

The tool is available to download for free from CyberArk's public GitHub repository.

Security Officer Comments:
In addition to PDF files, researchers noted that it is possible to restore other files including Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats. These files can be restored using 7zip and a hex editor to extract the unencrypted XML files of impacted documents and perform data replacement. As of writing White Phoenix as able to restore mentioned files types encrypted by the following ransomware strains: