Partial encryption is a growing trend in the world of ransomware, but with it comes the potential for data recovery on affected files. We’ll give an overview here on what the term “partial encryption” means. It is perhaps more accurate to say, “intermittent encryption,” but even so, it will be important to understand this recent trend in how many ransomware infections operate. From there, we’ll introduce White Phoenix, the freely available tool developed by CyberArk which can be used on partially encrypted files for data recovery. Next, we’ll go into some specifics on how and why this tool can be used to potentially recover data from files.
To get things started, what is partial encryption? As one might expect, this is simply referring to a file that has been partially encrypted. An example of how this could work can be seen below. The basic task for performing the encryption is that a file is broken up into chunks and some are encrypted while others aren’t. This idea can become slightly complicated in the sense that one method only involves encrypting one N-sized chunk at the beginning of the file, another method breaks the file into B-sized chunks and alternates encryption in that way, or another method can make things even more complicated by introducing P-sized chunks as well.
(Source: CyberArk)
Partial encryption has been a growing trend with ransomware groups for a couple of reasons. First, even though partial encryption may sound slightly less horrible than full encryption, it can be just as effective at making files unusable without the proper decryption tool and key. Only a small proportion of a file’s data needs to be encrypted before the file becomes unusable. Then, this kind of encryption process can also significantly lower the time it takes to encrypt files, given that less data is being processed. In the same sense, ransomware employing this technique may also be able to avoid detection from tools with certain I/O thresholds [1, 2].
Perhaps the worse aspect of all when it comes to partial encryption in ransomware is that there is very little downside to using it. Files are still rendered useless, and the operation takes place more quickly with the added bonus of potentially avoiding some methods of automatic detection. Partial encryption techniques have now been adopted by groups like LockFile, Black Basta, BlackCat, PLAY, Agenda, and Qyick in order to attract affiliates into their ransomware-as-a-service (RaaS) operations [1].
With a little bit of coverage on partial encryption done, we can discuss potentially recovering files that have been affected by this kind of ransomware. Here we are going to introduce the recently released White Phoenix, which is a tool developed in Python 3 by CyberArk for the purposes of recovering files which have been partially encrypted. It can be found on CyberArk’s GitHub page [4]. Interestingly, the name White Phoenix was chosen as a contrast to the various ransomware groups who have “black” in their names, such as Black Cat, BlackByte, and Lockbit Black [5].
This tool can be used with the default Python 3 libraries and works with a few different file types, such as PDFs or many different Office file formats, so long as they are based on the ZIP file format. This tool has been tested to work with files affected by ransomware from BlackCat, Agenda, Play, and DarkBit. It is important to note here that while this tool does work on a decent number of file types and has been tested with many different ransomware, the files are not decrypted and therefore cannot be recovered in full. Recovery may not be possible at all in some cases because of some specific aspects of how files need to be structured, or because some files have just been encrypted too much. Even so, this tool still allows victims to recover potentially important information from files [3, 5].
CyberArk looked into the development of the White Phoenix tool while researching BlackCat and experimenting with recovering object data from encrypted PDF files. In cases where intermittent encryption is used to encrypt the file, it may be possible that objects within the PDF file remain untouched. Thus, extraction and recovery may be possible. Without going into detail on how PDF files are structured, objects within the files are encased within a couple of text strings. The object begins with a pair of numbers followed by “obj”, and the object ends with the string “endobj”. An example of this can be seen below. CyberArk notes that images tend to be easier to recover from objects than text since images usually appear as the content of “stream” type objects. Text, on the other hand, can be broken up into chunks within an object, which need to be identified and concatenated.
(Source: CyberArk)
The other files White Phoenix is compatible with, such as Office files, are those that have file formats that are derived from the ZIP format. Files that contain the characters “PK” followed by the bytes 3 and 4 are indicative of a zip file entry structure. It may be possible to extract unencrypted files using a ZIP file tool from affected files so long as this sequence is present in the file. As we can see below, the compressed files within Office documents tend to be XML files. CyberArk was able to recover data from a partially encrypted Excel file during their investigation and create a new file with the recovered data.
(Source: CyberArk)
For PDF files, the White Phoenix tool implements the logic for identifying objects, extracting them, and saving them as separate files named after the recovered file. For the ZIP-based files, only the unzipping step is implemented in the tool as there is no guarantee the recovered fragments could produce a valid document.
To summarize, we first talked a little bit about partial encryption. It is a method of rendering a file unusable by way of encryption without having to encrypt the entire file. Files will be broken up into “chunks” and some of the chunks will be encrypted while others will not. This gives a number of advantages to ransomware employing this method of encryption, such as faster processing times and a reduced number of I/O operations. Many high-profile ransomware operators are now employing some sort of partial encryption.
We then introduced the White Phoenix tool for potentially recovering data from files affected by partial encryption. It is a tool developed by CyberArk in Python 3 and works with the default set of Python libraries. It can be used on PDFs as well as other files based on the ZIP file structure, such as Microsoft Office documents like Word and PowerPoint in addition to standard ZIP files. The tool has been tested by recovering data from files affected by BlackCat, Play, Agenda, and DarkBit ransomware.
Finally, we went a little bit into the specifics of how and when recovery is possible with some of these files. Although White Phoenix does not decrypt documents, it may still be possible to recover data from them given that the entire file was not encrypted. PDF files required that object container strings be present in the file structure, and Office and ZIP-based files require that the ZIP structure indicator bytes still be present.
[2]: https://heimdalsecurity.com/blog/intermittent-encryption/
[4]: https://github.com/cyberark/White-Phoenix
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments