Free Tool Unlocks Some Encrypted Data in Ransomware Attacks

White Phoenix automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub.

Good news for ransomware victims: Researchers have released a free tool on GitHub that they say can help victims of intermittent encryption attacks recover data from some types of partially encrypted files — without having to pay a ransom for the decryption key.
Intermittent encryption is an approach where a ransomware operator only partially encrypts targeted files—instead of the entire file—to speed up encryption, impact more files, and to make detection harder. In recent months, several ransomware groups including BlackCat and Play have used the approach in attacks on hundreds of organizations worldwide. The victims of these attacks have included hospitals, banks, and universities.
Fortunately for such victims, data in some types of partially encrypted files can be decrypted given the right circumstances, security vendor
Cyberark said in a report
this week. Thats because many file formats including PDF and formats that Microsoft Office adhere to contain certain common parameters, which, even if encrypted, can be reconstructed relatively easily in a manner to make data recovery possible.
For instance, files often have a

construction, says Andy Thompson, global research evangelist at Cyberark.
If partial encryption only wipes away the

portion of a [PDF for example], and we know that all PDFs headers look the same way, you can piece together the file so that it works again, he says.
As an example, Thompson points to an original file that might have a and

construction. If an intermittent ransomware sample only encrypted the header, the encrypted file might have a

construction. White Phoenix can identify that

, so it replaces the bad header with the good header, and you have a functional file again, he says.
Cyberark built a tool it calls
White Phoenix
that automates the process of recovering data from intermittently encrypted documents in various file formats. These include PDF; Word formats such as docx and docm; Excel formats such as xlxm, xltx, and extm; PowerPoint formats such as pptx, pptm, and ptox; and Zip. All that White Phoneix needs is the path to the partially encrypted file and a path to a folder to save recovered content, Cyberark said.
Just like there are many tools to help recover data from corrupted files, there can be tools to recover data from files that have undergone intermittent encryption, the security vendor said. Its available via GitHub.
Cyberark researchers tested White Phoenix against documents that
BlackCat had encrypted
; they believe it can work on files that other malware tools such as Play, Qilin,
BianLian, and DarkBit might only partially encrypt
.
For White Phoenix to recover partially encrypted files, there needs to be unencrypted parts of the data that can be salvaged, Thompson says. If we are able to repair or replace the portions of the damaged files, we may be able to recover the data contained in the file.
Intermittent encryption is a trend that, in a sense, started with
LockBit ransomware
in 2021. In a report last September, researchers from SentinelOne described how their analysis of LockFile showed the malware encrypting only
every other 16 bytes of a file
. They found the threat actor encrypting files just enough to make them unusable so they could infect more systems in a shorter time frame than would be possible with full disk encryption.
Since LockFile, several other threat actors have adopted intermittent encryption as well because the approach also gives them an opportunity to sneak their malware past detection systems designed to look at the amount of content being written to disk.
In BlackCats case, Cyberark discovered the malware is configured with six possible encryption modes. The malware, for instance, can do full file encryption or it can encrypt just the head of the file. BlackCat can also break files into equal sized chunks and then encrypt the first few bytes of each chunk or encrypt them differently depending on the size and type of file.
Intermittent encryption starts to blur the line between corrupting files and making files truly unusable, Cyberark said. But just like there are many tools to help recover data from corrupted files, there can be tools to recover data from files that have undergone intermittent encryption.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Free Tool Unlocks Some Encrypted Data in Ransomware Attacks