White Phoenix - Ransomware Recovery Tool

Have you been attacked by Ransomware?
Did malicious threat actors encrypt your valuable files?

There is still hope!

CyberArk Labs is happy to share this free recovery service that can try and help you 🍺
It's based on research work we did and a free recovery tool that we developed as a POC and published as open source on and published as open source on GitHub - link.

    Important notes:
  • This recovery tool supports the following document types: PDF, Word Documents, Excel Documents, PowerPoint Documents, Zip Files.
  • The recovery of your encrypted files can succeed only if the ransomware that hit you encrypted your files using the partial encryption method, a.k.a "intermittent encryption".
  • By using this tool you agree to the terms of use.
More details available in our White Phoenix blog post - link

Read More...

Try to recover your file

Provide results in separated files
Rather not say
Background Note:

Introduction

A new trend has emerged in the world of ransomware: intermittent encryption, the partial encryption of targeted files. Many ransomware groups, such as BlackCat and Play, have adopted this approach.
White Phoenix is an open-source tool created by researchers in CyberArk Labs that leverages features of intermittent encryption to allow victims of ransomware attacks to recover some of the data from files that have been encrypted by intermittent encryption. The researchers designed this website for both individuals who may not be tech-savvy and those who simply want to swiftly test White Phoenix, allowing them to utilize the tool without the need to download it and execute Python.

How It Works?

It's that simple! Once the file is uploaded, White Phoenix will run and recover whatever data can be extracted, returning it in a docx/zip file.

Note: Not all data can be recovered. Please follow these guidelines to improve the chances of success:

  • Not all ransomware use intermittent encryption. White Phoenix was successfully tested on: BlackCat/Alphv, Play, Qilin/Agenda, BianLian, and DarkBit.
  • Supported file types: PDF, Word Documents, Excel Documents, PowerPoint Documents, Zip Files.
  • Larger files have a higher chance of containing sections with useful data. However files up to 10MB can be handled here, for larger files, use the GitHub version.
  • For PDFs, images aren't always recovered properly. To have a higher chance of success for images, check the "Separated Files" checkbox before running.

Technical Information

With intermittent encryption, ransomware will often skip parts of the files they are encrypting. As a result, occasionally they will miss valuable data that, while not accessible through typical file readers and editors, are still technically accessible.Our open source tool, White Phoenix, parses the uploaded files looking for sections that hold such valuable data and extracts them for recovery.
For more technical information on how the parsing is done visit our blog post about White Phoenix.

About

CyberArk Labs is a vital component of CyberArk LTD's cutting-edge research division. Within our labs, we are dedicated to pioneering Threat Research and Innovation, constantly pushing the boundaries of cybersecurity knowledge.
Our team actively shares valuable insights through our blog hosted at Home - CyberArk Labs and actively participates in esteemed conferences like BlackHat and DEF CON to showcase our groundbreaking research.
Moreover, our commitment extends to the development of open-source resources, which you can explore on our GitHub repository at CyberArk. Among these valuable tools, White Phoenix stands out as a beacon of hope for ransomware victims, designed to assist in the recovery of lost data.