<# .SYNOPSIS Audits storage areas in a domain to identify potential encrypted files as a result of a ransomware attack. Original files can be restored from a backup location using the script. .DESCRIPTION Performs the neccessary steps to identify potentially encrypted files and offers the ability to resotre them from a backup, as well as, clean up the malicious files. .NOTES Version : 1.0 Changes : Rewritten for powershell v4 & provides for error suppression Rights Required : Access to : Modify permissions to folders to be scanned and restored Sched Task Req'd : No Author : Jeff Stein, MSISA candidate at Western Governers University Year Written : 2015 Disclaimer : Resources used : : https://quickclix.wordpress.com/2012/08/14/making-powershell-menus/ .EXAMPLE .\Run-RansomRecovery.ps1 .INPUTS None. You cannot pipe objects to this script. #> #Requires -Version 4.0 $ErrorActionPreference = "silentlycontinue" #Suppresses errors generated during account checks. $error.clear() #Set Menu values to 0 [int]$MainMenuChoice = 0 [int]$subMenu1 = 0 [int]$subMenu2 = 0 [int]$subMenu3 = 0 write-host " *************************************************** Ransomware Recovery Script *************************************************** " "Welcome to the Ransomware Recovery Script for the Windows Operating System. This script leverage's PowerShell in an attempt to identify potentially encrypted files and restore the original copies from your backups." "" "Disclaimer: This script is offered 'as is' with no warranty. While it has been tested and verified to work in my environment, it is recommended that you test this script in a test environment before utilizing in your own production environment. Additionally it is recommended that you consult the README.txt file before proceeding." "" read-host "Please press [Enter] to continue" write-host " *************************************************** Recovery Options *************************************************** Select from the options below to perform actions which can find encrypted files as well as restore and clean up your system." while ($MainMenuChoice -lt 1 -or $MainMenuChoice -gt 4) { write-host " 1) Identify potentially encrypted files 2) Restore impacted files 3) Clean up after malware 4) Exit " [int]$MainMenuChoice = read-host "Select an option... [1-4]" } Switch ($MainMenuChoice){ 1 { write-host " *************************************************** Scanning Options *************************************************** Select from the options below to perform actions which can find encrypted files." while ($subMenu1 -lt 1 -or $subMenu1 -gt 4){ write-host " Please select an option from the list below. 1) Identify potentially encrypted files 2) Specify file extension to search for 3) Mixed Search for encrypted files 4) Return to Main Menu " [int]$subMenu1 = read-host "Select an option... [1-4]" } Switch ($subMenu1){ 1 { write-host "Option 1: Identify potentially encrypted files has been selected" $path = read-host "Please enter a search path" $searchpath = $path+"\*.*" Write-Host "Recursively searching "$path "for all files with suspicious extension types" Write-Host " " Write-Host " " Get-ChildItem -Recurse -Path $searchpath -exclude *.doc,*.docx,*.log,*.msg,*.odt,*.pages,*.rtf,*.tex,*.txt,*.wpd,*.wps,*.csv,*.dat,*.gbr,*.ged,*.key,*.keychain,*.pps,*.ppt,*.pptx,*.sdf,*.tar,*.tax2012,*.tax2014,*.vcf,*.xml,*.aif,*.iff,*.m3u,*.m4a,*.mid,*.mp3,*.mpa,*.ra,*.wav,*.wma,*.3g2,*.3gp,*.asf,*.asx,*.avi,*.flv,*.m4v,*.mov,*.mp4,*.mpg,*.rm,*.srt,*.swf,*.vob,*.wmv,*.3dm,*.3ds,*.max,*.obj,*.bmp,*.dds,*.gif,*.jpg,*.png,*.psd,*.pspimage,*.tga,*.thm,*.tif,*.tiff,*.yuv,*.ai,*.eps,*.ps,*.svg,*.indd,*.pct,*.pdf,*.xlr,*.xls,*.xlsx,*.accdb,*.db,*.dbf,*.mdb,*.pdb,*.sql,*.apk,*.app,*.bat,*.cgi,*.com,*.exe,*.gadget,*.jar,*.pif,*.vb,*.wsf,*.dem,*.gam,*.nes,*.rom,*.sav,*.dwg,*.dxf,*.gpx,*.kml,*.kmz,*.asp,*.aspx,*.cer,*.cfm,*.csr,*.css,*.htm,*.html,*.js,*.jsp,*.php,*.rss,*.xhtml,*.crx,*.plugin,*.fnt,*.fon,*.otf,*.ttf,*.cab,*.cpl,*.cur,*.deskthemepack,*.dll,*.dmp,*.drv,*.icns,*.ico,*.lnk,*.sys,*.cfg,*.in0i,*.prf,*.hqx,*.mim,*.uue,*7z,*.cbr,*.deb,*.gz,*.pkg,*.rar,*.rpm,*.sitx,*.tar,*.gz,*.zip,*.zipx,*.bin,*.cue,*.dmg,*.iso,*.mdf,*.toast,*.vcd,*.c,*.class,*.cpp,*.cs,*.dtd,*.fla,*.h,*.java,*.lua,*.m,*.pl,*.py,*.sh,*.sln,*.swift,*.vcxproj,*.xcodeproj,*.bak,*.tmp,*.crdownload,*.ics,*.msi,*.part,*.torrent,*.ini,*.vsd,*.vsdx,*.slax,*.pem,*.xcf,*.pup* | Select-Object Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv } 2 { write-host "Option 2: Specify file extension to search for has been selected" $path = read-host "Please enter a search path" $filex = read-host "Enter the suspicious file extension to search for" $searchpath = "$path\*$filex" Write-Host "Recursively searching "$path "for files matching the "$filex" extension type." Write-Host " " Write-Host " " Get-ChildItem -Recurse -Path $searchpath | Select-Object Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv } 3 { write-host "Option 3: Mixed search for encrypted files has been selected" $path = read-host "Please enter a search path" $filex = read-host "Enter the suspicious file extension to search for" $searchpath = "$path\*$filex" $searchcommon = "$path\*.*" Write-Host "Recursively searching "$path "for files matching the "$filex" extension type." Write-Host " " Write-Host " " Get-ChildItem -Recurse -Path $searchpath | Select-Object Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv Get-ChildItem -Recurse -Path $searchpath -exclude *.doc,*.docx,*.log,*.msg,*.odt,*.pages,*.rtf,*.tex,*.txt,*.wpd,*.wps,*.csv,*.dat,*.gbr,*.ged,*.key,*.keychain,*.pps,*.ppt,*.pptx,*.sdf,*.tar,*.tax2012,*.tax2014,*.vcf,*.xml,*.aif,*.iff,*.m3u,*.m4a,*.mid,*.mp3,*.mpa,*.ra,*.wav,*.wma,*.3g2,*.3gp,*.asf,*.asx,*.avi,*.flv,*.m4v,*.mov,*.mp4,*.mpg,*.rm,*.srt,*.swf,*.vob,*.wmv,*.3dm,*.3ds,*.max,*.obj,*.bmp,*.dds,*.gif,*.jpg,*.png,*.psd,*.pspimage,*.tga,*.thm,*.tif,*.tiff,*.yuv,*.ai,*.eps,*.ps,*.svg,*.indd,*.pct,*.pdf,*.xlr,*.xls,*.xlsx,*.accdb,*.db,*.dbf,*.mdb,*.pdb,*.sql,*.apk,*.app,*.bat,*.cgi,*.com,*.exe,*.gadget,*.jar,*.pif,*.vb,*.wsf,*.dem,*.gam,*.nes,*.rom,*.sav,*.dwg,*.dxf,*.gpx,*.kml,*.kmz,*.asp,*.aspx,*.cer,*.cfm,*.csr,*.css,*.htm,*.html,*.js,*.jsp,*.php,*.rss,*.xhtml,*.crx,*.plugin,*.fnt,*.fon,*.otf,*.ttf,*.cab,*.cpl,*.cur,*.deskthemepack,*.dll,*.dmp,*.drv,*.icns,*.ico,*.lnk,*.sys,*.cfg,*.in0i,*.prf,*.hqx,*.mim,*.uue,*7z,*.cbr,*.deb,*.gz,*.pkg,*.rar,*.rpm,*.sitx,*.tar,*.gz,*.zip,*.zipx,*.bin,*.cue,*.dmg,*.iso,*.mdf,*.toast,*.vcd,*.c,*.class,*.cpp,*.cs,*.dtd,*.fla,*.h,*.java,*.lua,*.m,*.pl,*.py,*.sh,*.sln,*.swift,*.vcxproj,*.xcodeproj,*.bak,*.tmp,*.crdownload,*.ics,*.msi,*.part,*.torrent,*.ini,*.vsd,*.vsdx,*.slax,*.pem,*.xcf,*.pup* | Select-Object Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv -Append } 4 {.\menu.ps1} } } 2 { write-host " *************************************************** File Restore Options *************************************************** Select from the options below to perform actions which can find encrypted files." while ($subMenu2 -lt 1 -or $subMenu2 -gt 3){ write-host " Please select an option from the list below. 1) Restore specific file 2) Restore all files from CSV file 3) Return to Main Menu " [int]$subMenu2 = read-host "Select an option... [1-3]" } Switch ($subMenu2){ 1 { $specFilename = read-host "Please specify a file name to restore" $csv = Import-Csv $csvFilename -Header @("Directory","Name","Extension") $backuppath = read-host "Please enter a backup location of the file" $restorepath = read-host "Please enter a restore path for the file" Robocopy $backuppath $restorepath $specFilename /COPYALL } 2 { $csvFilename = ".\suspiciousfiles.csv" $csv = Import-Csv $csvFilename -Header @("Directory","Name","Extension") $backuppath2 = read-host "Please enter a backup location" Get-ChildItem -Recurse -Path $backpath2 | Select-Object Directory,BaseName,Extension | Export-Csv .\backupfiles.csv foreach ($line in $csv) { $var = $line.directory $var1 = $line.name $var2 = $line.extension $var3 = $var1+".*" $backpath2 = $backuppath2+$var+"\*.*" Robocopy $backpath2 $var $var3 /COPYALL } } 3 {.\menu.ps1} } } 3 { write-host " *************************************************** Clean Up Options *************************************************** Select from the options below to perform actions which can find encrypted files." while ($subMenu3 -lt 1 -or $subMenu3 -gt 2){ write-host " Please select an option from the list below. 1) Delete files based on an extension 2) Return to Main Menu " [int]$subMenu3 = read-host "Select an option... [1-2]" } Switch ($subMenu3){ 1 { $specFilenameEX = read-host "Please specify an extension to remove from your infected folder tree" $specfullname = "*."+$specFilenameEX $infectpath = read-host "Please enter the root path in the folder tree to clean up" Get-ChildItem $infectpath -recurse -include $specfullname -force | remove-item } 2 {.\menu.ps1} } } 4 { } 5 {# Exit Write-Host "" Write-Host "Exiting..." exit-pssession } }