(Source – Shutterstock)

Intermittent encryption: Can businesses get ahead of this cybersecurity threat?

Article by Nathan Hew

Globally, ransomware has been a force to reckon with. According to CyberArk’s 2022 Identity Security Threat Landscape Report, over 70% of organizations surveyed have experienced ransomware attacks in the past year — two on average. 

Regionally, IDC — a premier global market intelligence firm — similarly reported that over 70% of the surveyed organizations in Asia Pacific have experienced cyberattacks in the 12 months. From this figure, 55% have paid ransom to avert operational disruptions and financial losses. 

That said, a new trend has emerged in the world of ransomware – intermittent encryption, which focuses on the partial encryption of targeted files. “Intermittent encryption is when ransomware forgoes encrypting the entirety of every file, instead only encrypting part of each file, often blocks of a fixed size or only the beginning of targeted files,” said Ari Novick, a Senior Malware Analyst in the Malware Research team at CyberArk Labs.

Partnering with Amir Landau, who leads CyberArk Labs’s Malware Research team, they have developed White Phoenix, a tool that takes advantage of the fact that some files are not entirely encrypted and can — in the right circumstances — salvage content from the unencrypted parts of those files.

“Intermittent encryption starts to blur the line between corrupting files and making files truly unusable. Arguably, the idea of intermittent encryption turned out to be a mistake. Just like there are many tools to help recover data from corrupted files, there can be tools to recover data from files that have undergone intermittent encryption” commented Ari in a blogpost,

Watch the demo below to understand more about White Pheonix.

A data encryption tool for intermittent encryption

What sets White Phoenix apart from other data encryption tools is that it is a free, open-source solution that is available to download from CyberArk’s GitHub repository. What is CyberArk’s goal? To develop a community of like-minded people that will help evolve this tool.

“White Phoenix looks at the encrypted files for parts that have been encrypted that might be useful. Text and images are a good example and it saves those encrypted parts as new files,” Novick explains. “We have limited knowledge and we don’t know every file format. It’s far from its full potential; we definitely want more people to engage.” 

 In a short demonstration with Tech Wire Asia, the Senior Malware Analyst proceeded to encrypt a large amount of text and images from a PDF that he downloaded from the Internet. “That actually gives us more to work with and White Pheonix will be able to recover more. We are going to encrypt with a ransomware called Blackcats,” he explains.

After that, he uses a second argument called paths to direct the ransomware to encrypt the folder with a PDF. It is a time-saving measure for the demonstration, which has no real impact on the encryption. 

By deploying White Phoenix, Novick runs two arguments — one directed at the encrypted file and the other at the folder. “Every row that we see here is an example of a sort of block of information from the PDF that has not been encrypted. Not all of these will have useful information. But we’ll see shortly, a fair amount of them will have text or images that will be saved to the out folder,” he explains. 

The result? White Phoenix recovered parts of the files that had not been encrypted. One example was the end of the PDF document, where the last paragraph starts with “Many showcase schools provide support or training to other”. The exact phrase shows up in the recovered text and image. 

Intermittent encryption

CyberArk’s Ari Novick and Amir Landau

What’s next for White Phoenix?

The sky’s the limit, according to Landau. “We have a couple of ideas. For the next version, I would like to try to recover some of the information that is encrypted by AI technology,” he says. “That is the future for us because it is needed and there is some possibility to do some of that.”

Theoretically, White Phoenix would be able to recover videos. “We specifically focused mostly on PDFs. We did a bit of Microsoft Office files as well as Zip because I happened to already be fairly knowledgeable on those file types,” says Novick. “But again, that’s why we are also making this open source because I have the knowledge on documents. If someone has knowledge of videos, it would be a lot easier.”

GitHub is a cloud-based Git repository hosting service. In short, it makes it much easier for individuals and teams to use Git for version control and collaboration. Git is a distributed version control system where the entire codebase and history are available on every developer’s computer, allowing easy branching and merging.