View All R&D Articles

White Phoenix Ransomware Recovery Tool: What to Know

January 31, 2024

White Phoenix is an open-source ransomware decryption tool, intended for use with larger files encrypted by the Play ransomware group and other ransomware variants that use intermittent encryption.

The tool is available on GitHub here, and it’s both free and relatively user-friendly thanks to a newly released web version developed by CyberArk. Before using White Phoenix, here’s what victims should know.

How does White Phoenix recover files infected by ransomware? 

Ransomware typically works by encrypting files, forcing victims to pay a ransom for the associated decryption keys. 

But in order to be effective, malware must work quickly. Full-file encryption is time consuming and resource intensive. Many ransomware variants address this issue by encrypting the first segment of each file — not the entire file. 

Ransomware recovery tools usually work by bypassing the encrypted area and attempting to restore the file to a functional condition. For example, the Black Basta ransomware recovery tool essentially bypasses the first 5,000 bytes of each encrypted file.

White Phoenix is slightly different. It utilizes a weakness in the keygen function used by certain ransomware variants (including Play) to encrypt data. 

CyberArk’s full blog post contains a detailed description of this flaw, along with a full explanation of how White Phoenix works. The bottom line: The tool can effectively address some types of ransomware that use intermittent encryption, restoring a large amount of data (but not all data). 

White Phoenix is intended for specific ransomware variants.

The tool is not capable of decrypting fully encrypted files. Additionally, some types of files may not be recoverable following partial encryption, including smaller files, images, and videos.

For larger files (for example, virtual disk images), White Phoenix is extremely useful. Before trying the tool, we strongly recommend following these steps: 

  1. Isolate the affected system(s). 
  2. Make a full clone of any storage device prior to attempting recovery. Learn how to clone media with ddrescue. 
  3. Ensure that the ransomware uses an encryption method addressed by White Phoenix. The tool has been tested with BlackCat/Alphv, Play, Qilin/Agenda, BianLian, and DarkBit.
  4. Use the appropriate version of the utility. The web version of White Phoenix can only support files of up to 10 megabytes (MB). 

If White Phoenix is not successful, you may still have options for ransomware recovery. Do not pay ransoms under any circumstances; in many cases, paying a ransom is illegal and will not guarantee data recovery.

Trust the leader in ransomware recovery services.

At, we offer a range of resources for ransomware recovery. We can also analyze ransomware events to build resilient business continuity strategies — and monitor the dark web for data leaks following an attack. 

To learn more, call 1-800-237-4200 to speak with a ransomware expert or submit a case online.