January 30, 2024 at 05:07PM
CyberArk has developed an online version of ‘White Phoenix,’ an open-source ransomware decryptor for victims not familiar with coding. It supports PDFs, Word, Excel, ZIPs, and PowerPoint files, with a 10MB size limit. However, it only helps victims targeted by specific ransomware strains using intermittent encryption. While not guaranteed, it may still restore valuable data.
From the meeting notes, it is clear that CyberArk has developed an online version of White Phoenix, an open-source ransomware decryptor targeting operations using intermittent encryption. The online version of White Phoenix is intended to help less tech-savvy ransomware victims by providing a simpler interface for uploading and recovering files. It supports PDFs, Word and Excel documents, ZIPs, and PowerPoints with a file size limit of 10MB.
The primary use case for White Phoenix is to aid victims hit by ransomware strains employing intermittent encryption, such as Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. The tool attempts to recover data by concatenating unencrypted parts and reversing hex encoding and CMAP scrambling. While it may not work well for all file types and ransomware, it could still help restore valuable files or retrieve some data.
CyberArk has advised that certain strings need to be readable in the files depending on their type for the decryptor to work correctly. For PDFs that contain image files, the “separate files” option is recommended for more reliable results. It’s important to note that there are currently no working decryptors for the mentioned ransomware families, making White Phoenix a valuable restoration option.
Lastly, it is recommended to download White Phoenix from GitHub and use it locally if working with sensitive information, rather than uploading sensitive documents to CyberArk’s servers.