------------
README File
------------

INTRODUCTION
-------------

The Run-RansomRecovery script will audit storage areas in a domain to identify potential encrypted files as a result of a ransomware attack. Original files can be restored from a backup location using the script and clean up the malicious files can be executed from it. The script is designed for the Microsoft Windows operating system, leveraging powershell 4.0 and above.

-----------
DISCLAIMER
-----------

This script is offered 'as is' with no warranty. While it has been tested and verified to work in my environment, it is recommended that you test this script in a test environment before utilizing in your own production environment. 

-------------
REQUIREMENTS
-------------

This script requires access to:

* Modify permissions to folders to be scanned and restored
* Administrative access on the machine where the script will be run from

-------------
INSTALLATION
-------------

The Run-RansomRecovery.ps1 file should be extacted to the desktop of the Windows machine where the script will run from. It is not recommended to run this script directly on a machine that has been corrupted by ransomware or other malware. Once extracted, the file can be right-clicked and "Run with PowerShell" can be selected. It is recommended that this is an account that has administrator privileges. Alternatively, PowerShell can be manually opened on the system and the terminal navigated to the appropriate directory where the script is located and executed from there. With either option, it is recommended the action to run the script is done with an account that has administrator privileges.

----------
OPERATION
----------

The script contains three options in the menu.

1) Identify potentially encrypted files

This submenu will allow you to scan a file system or UNC path to identify files either that do not match common file extension formats as well as specify a file extension to search for. Once files that are potentially encrypted are found the script will generate a list in a CSV format for your review. Once reviewed, this list should be modified to reflect files which you have identified have been encrypted by the ransomware.

2) Restore impacted files

This submenu will allow you to restore encrypted files on UNC paths from a UNC backup location. The file structure of the backup location should match the UNC path to restore. The menu option will provide you to load the reviewed CSV file (suspiciousfiles.csv) and restore the impacted files.

3) Clean up after malware

This submenu will allow you to delete files in a file directory that match a specific file extension.