CyberArk has released an online version of a file decryptor. This is a simplified, web version of the “White Phoenix” decryptor, initially available from the source code placed on GitHub.
White Phoenix Decryptor by CyberArk Goes Online
CyberArk, a public information security company that previously developed White Phoenix decrypter, has recently published a simplified web version. The older one, available on GitHub in the form of a source code, was a bit of a complication. It does not require installation or additional actions on the victim’s part. Instead, it lets you decrypt a file in two clicks by loading it into a browser window.
The web version appears to be a rather convenient solution, as all you need to do to decrypt a file is to upload it to the site and click “recover”. On the other hand, the service has some limitations, including a 10 MB file size limit and the ability to download only one file at a time. In addition, when recovering confidential information, experts recommend using the standalone version for security reasons.
What is White Phoenix?
White Phoenix is an open-source ransomware decryptor created by CyberArk. It targets ransomware operations that use intermittent encryption. The tool can analyze the encrypted files and try to recover the original data using various algorithms and techniques.
As the devs say, this decryptor can restore up to 50% of the file content, depending on the type and size of the file and the encryption method used by the ransomware. White Phoenix supports various file types, such as PDF, Word, Excel, ZIP, and PowerPoint. It can also handle virtual machines (VMs) and disk images, often targeted by ransomware. Standalone version White Phoenix is a Python project on GitHub that users can download and run on their machines.
For the decryptable ransomware strains, authors name BlackCat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. As I’ve mentioned above, the key point here is the use of intermittent encryption. Such an approach allows to drastically increase the encryption operation, without weakening the cipher itself. White Phoenix concatenates unencrypted parts and reverses hex encoding and CMAP scrambling. However, depending on the file type and ransomware, the decryptor may not work well. So, certain file strings must be readable for the decryptor to work correctly. Even if White Phoenix cannot help restore entire systems, it could still help retrieve some data from valuable files.
January 2024 is Rich on Decryptors
Updated CyberArk decryptor adds one more case in a pretty interesting trend. At the beginning of January 2024, decryptors for Tortilla and Black Basta ransomware were released. Even though White Phoenix is not a new release but rather a new feature, it adds to a number of victims who can ease their file recovery procedure. Popularity means a lot for software developers, so making a decryptor more public among other things means more possibilities in further development.
While the number of decryptors for different ransomware types keeps rising every month, the vast majority of victims are out of their focus. For that reason, the best option here is to avoid ransomware infections at all. Fortunately, this threat is well-researched and the counteraction methods are known and effective.
- Avoid shady software sources. Torrents, warez sites and just pages that offer cracked software may contain packages with malware, spyware, or viruses. Using them is a russian roulette for your safety, and also violates the law. Price tag for licensed software appears rather small when compared to the cost of recovery after malware attack.
- Be careful with email messages. You should not open or reply to email messages from unknown or suspicious senders. Phishing remains the most effective method to trick people into dangerous activity. This way, crooks can ask for your personal or financial information, offer you a prize or reward, or claim to be from a government or official agency.
- Do not run applications from an unknown source. Those utilities or “programs for testing” may be different from what they look like. Even when someone you trust offers you to use one, it is important to treat these programs with additional caution.
- Apply disk encryption. When dealing with sensitive data, it is not unreasonable to use disk encryption. It prevents unauthorized access to the data, as well as makes it harder for intruders to encrypt it.
- Use effective anti-malware software. This is the primary rule for each user. GridinSoft Anti-Malware will act as an additional safety layer, when preventive measures fail or absent for some reason. Also, it can clean up your system if it has already been infected.