Security News > 2023 > May > New ransomware decryptor recovers data from partially encrypted files
A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.
After successfully recovering PDF files using the White Phoenix tool, CyberArk found similar restoration possibilities for other file formats, including files based on ZIP archives.
Restoration for these file types is achieved by using 7zip and a hex editor to extract the unencrypted XML files of impacted documents and perform data replacement.
BleepingComputer tested White Phoenix with a small sample of ALPHV-encrypted PDF files and Play-encrypted PPTX and DOCX files and was unable to recover any data using the tool.
"Depending on the specific ransomware sample being used, different file sizes might be too encrypted to recover data from. If the following characters aren't seen in the file, it is likely fully encrypted and White Phoenix won't be able to help," CyberArk told BleepingComputer.
While this decryptor may not work for all files, it could be very helpful for victims to attempt to recover "Some" data from critical files.