Jump to content

Determine files that were encrypted by ransomware (cryptolocker, cryptowall, etc.)

mfecteau

By mfecteau,
in AutoIt Example Scripts

 Share

Recommended Posts

mfecteau Seeker

mfecteau

Posted
Posted (edited)

Here's a "solution" to determine which files were encrypted by the cryptolocker or cryptowall ransomware.  I'm posting it here because it's done in the autoit language.  And I know many people on the web were asking for a solution about this.

You must have access to a backup copy of your files to use this, it won't decrypt your files.

It is useful in an enterprise environment where you have a lot of users accessing a file server with a lot of files.  Without this, it is difficult to know where the encrypted files are located.  Some files are encrypted and other aren't and there's no way of knowing witch one except by manually trying to open the file.

This script will locate those files (and list them), and optionally restore them from your backup.

Update : I forgot to mention that the source is included.  The only binary is the lz4.exe compression command that you could grab somewhere else if suspicious.  Also, the misleading title was changed.

cryptocheck.zip

Edited by mfecteau
Link to comment
Share on other sites
MikahS Universalist

MikahS

Posted
Posted (edited)

Example scripts go in the example scripts section of the forum ;)

Edited by MikahS

Snips & Scripts


My Snips: graphCPUTemp ~ getENVvars
My Scripts: Short-Order Encrypter - message and file encryption V1.6.1 ~ AuPad - Notepad written entirely in AutoIt V1.9.4

Feel free to use any of my code for your own use.                                                                                                                                                           Forum FAQ

 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

With user permissions and filecopy you should restore roughly 0 files on a ransomware infected box.  The only way a file backup is useful is to restore it onto a fresh load.  And restoring a backup is not a solution to anything, it is what you do when none of your solutions worked.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

@computergroove, while it is an older thread, this still holds true. There is no requirement for anyone to share source. If there is an issue with trust, the Mods will make the determination.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
  • Developers
Jos Universalist

Jos

Posted
  • Developers
Posted

To be more specific: The files does contain the script sources and an some lz4.exe file so the whole comment is totally unclear, but that is happening regularly.

Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource   Forum etiquette  Forum Rules 
 
Live for the present,
Dream of the future,
Learn from the past.  :)

Link to comment
Share on other sites
mfecteau Seeker

mfecteau

Posted
  • Author
Posted

With user permissions and filecopy you should restore roughly 0 files on a ransomware infected box.  The only way a file backup is useful is to restore it onto a fresh load.  And restoring a backup is not a solution to anything, it is what you do when none of your solutions worked.

 

Indeed, there's no solution against the cryptolocker/cryptowall ransomware.  We must restore from backup.  Or money could be given to those crooks, but that's not a solution for us.  The subject of the thread is in fact misleading, my fault.  It should have been something as :  "solution to determine files encrypted by ransomware ...".

I insist on the fact that this script won't be useful to a lot of people, only to enterprise admins that manage big file servers (with daily backup) who need to locate the encrypted files (to determine which users or departments were affected by the ransomware outbreak).

I indeed included the sources except the compression command is compiled (if suspicious, grab it somewhere else).  I chose lz4 because it's 10 times faster than zip. 

Finally, I know that I'm not the best programmer on the planet (far from it), so bear with me.

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

I still dont understand how you are going to perform actions on a file to which you do not even have the most basic of read rights.   And if you have the backup why not just diff the whole structure and mark all the directories where acls have changed?

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
mfecteau Seeker

mfecteau

Posted
  • Author
Posted

I still dont understand how you are going to perform actions on a file to which you do not even have the most basic of read rights.   And if you have the backup why not just diff the whole structure and mark all the directories where acls have changed?

 

The script must run with local admintrator account on the file server (so full rights on all files without UAC interference). I used it and it works.

Apparently, cryptowall doesn't change the ACL (ownership),it only changes the last modification date.  And without auditing enabled on file server, we don't know who made the last modification (Windows doesn't keep track of this out of the box). 

You're right, other ways surely exist to do something similar as this script.  I didn't test it, but surely a graphical tool like winmerge could be used to do a diff based on something else than the compression ratio.  But I didn't find a free tool that did a diff comparing the compression ratio as my script is doing. 

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)
The second piece is a bit on how CryptoLocker functions: since it uses the logged in user account to encrypt files, and since it is literally replacing the files with encrypted copies, the newly encrypted files are being created by the logged in user.  This means that, no matter who owned them before, the logged in user will become the file owner. 

 

 

http://www.poshcodebear.com/blog/2014/5/2/function-to-aid-in-finding-cryptolocker-encrypted-files

 

The elevated tokens available to you will not gain full any rights on a cryptolocker protected file (that i have seen).  What variant did you use this on?

Edited by boththose 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
mfecteau Seeker

mfecteau

Posted
  • Author
Posted

http://www.poshcodebear.com/blog/2014/5/2/function-to-aid-in-finding-cryptolocker-encrypted-files

 

The elevated tokens available to you will not gain full any rights on a cryptolocker protected file (that i have seen).  What variant did you use this on?

 

The variant is cryptowall.  We saw that the encrypted files didn't change ownership, the files were only modified. Also, the NTFS ACL were not changed (NTFS inheritance was still applied).  So the files were "readable" (NTFS-wise), but encrypted.

Thanks for the link, that was a good read.

Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

ive reading to do on cryptowall then.  we couldnt even copy the files in a windows session with cryptolocker, so that is why i have so many questions as to how you are getting them into the container to even test.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
mfecteau Seeker

mfecteau

Posted
  • Author
Posted

ive reading to do on cryptowall then.  we couldnt even copy the files in a windows session with cryptolocker, so that is why i have so many questions as to how you are getting them into the container to even test.

 

With the local administrator account (or admin privileges), you should be able to get full NTFS rights recursively on a folder with a tool like "setACL.exe" (or you could also get it done through the Windows GUI).  If you cannot, maybe it's because your file server was itself infected with the ransomware and it has done something nasty to your Windows installation preventing you changing the NTFS permissions (though I'm only speculating).  On my side, the file server was not itself infected.  It's the client machines that were infected and the those clients encrypted files on the file server from a network share that was mapped as a drive letter on the clients. 

Link to comment
Share on other sites
  • 1 month later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...