"Free Tool Unlocks Some Encrypted Data in Ransomware Attacks"

Researchers at Cyberark have released a free tool on GitHub that can help victims of intermittent encryption attacks recover data from some types of partially encrypted files, without having to pay a ransom for the decryption key. Intermittent encryption is where a ransomware operator only partially encrypts targeted files, instead of the entire file, to speed up encryption, impact more files, and make detection harder. In recent months, several ransomware groups, including BlackCat and Play, have used the approach in attacks on many organizations, which included hospitals, banks, and universities. According to Cyberark, for such victims, data in some types of partially encrypted files can be decrypted given the right circumstances because many file formats, including PDF and formats that Microsoft Office adhere to, contain certain common parameters, which, even if encrypted, can be reconstructed relatively easily to make data recovery possible. Cyberark created a tool called "White Phoenix" that automates recovering data from intermittently encrypted documents in various file formats. This article continues to discuss the White Phoenix automated tool for recovering data on partially encrypted files hit with ransomware.

Dark Reading reports "Free Tool Unlocks Some Encrypted Data in Ransomware Attacks"