Security in Obscurity

A script by Jeff Stein
      Run-RansomRecovery.ps1
      Identify potential encrypted files as a result of a ransomware attack, December 2015
    
This script was a part of my Masters capstone project which covered the security topic of ransomware. The script entitled "Run-RansomRecovery" will audit storage areas in a domain to identify potential encrypted files as a result of a ransomware attack. Original files can be restored from a backup location using the script and clean up the malicious files can be executed from it. The script is designed for the Microsoft Windows operating system, leveraging PowerShell 4.0 and above.
DISCLAIMERThis script is offered 'as is' with no warranty. While it has been tested and verified to work in my environment, it is recommended that you test this script in a test environment before utilizing in your own production environment. 
Installation To get started download the files listed in the resource section and save the Run-RansomRecovery.txt as a .ps1 file. It should be extracted to the desktop of the Windows machine where the script will run from. It is not recommended to run this script directly on a machine that has been corrupted by ransomware or other malware. Once extracted, the file can be right-clicked and "Run with PowerShell" can be selected. It is recommended that this is an account that has administrator privileges. Alternatively, PowerShell can be manually opened on the system and the terminal navigated to the appropriate directory where the script is located and executed from there. With either option, it is recommended the action to run the script is done with an account that has administrator privileges.
OverviewA key piece of the script will audit storage areas to identify potentially encrypted files. The script does this in a few different ways. It allows you to input a path such a C:\ to search for files of unknown extensions which may be encrypted file types. Additionally if you know the file type of the files that have been encrypted by the ransomware you can search for the specific extension. Similiar to the first option it will allow you to specify your search path. You can see an sample of the code below:

Searching for impacted files

$path = read-host "Please enter a search path"

$filex = read-host "Enter the suspicious file extension to search for"

$searchpath = "$path\*$filex" 

$searchcommon = "$path\*.*"

Write-Host "Recursively searching "$path "for files matching the "$filex" extension type." 

Write-Host " " 

Write-Host " " 

Get-ChildItem -Recurse -Path $searchpath | Select-Object Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv

Get-ChildItem -Recurse -Path $searchpath -exclude 
*.doc,*.docx,*.log,*.msg,*.odt,*.pages,*.rtf,*.tex,*.txt,*.wpd,*.wps,*.csv,*.dat,*.gbr,*.ged,*.key,*.keychain,*.pps,*.ppt,*.pptx,*.sdf,*.tar,*.tax2012,*.tax2014,*.vcf,*.xml,*.aif,*.iff,*.m3u,*.m4a,*.mid,*.mp3,*.mpa,*.ra,*.wav,*.wma,*.3g2,*.3gp,*.asf,*.asx,*.avi,*.flv,*.m4v,*.mov,*.mp4,*.mpg,*.rm,*.srt,*.swf,*.vob,*.wmv,*.3dm,*.3ds,*.max,*.obj,*.bmp,*.dds,*.gif,*.jpg,*.png,*.psd,*.pspimage,*.tga,*.thm,*.tif,*.tiff,*.yuv,*.ai,*.eps,*.ps,*.svg,*.indd,*.pct,*.pdf,*.xlr,*.xls,*.xlsx,*.accdb,*.db,*.dbf,*.mdb,*.pdb,*.sql,*.apk,*.app,*.bat,*.cgi,*.com,*.exe,*.gadget,*.jar,*.pif,*.vb,*.wsf,*.dem,*.gam,*.nes,*.rom,*.sav,*.dwg,*.dxf,*.gpx,*.kml,*.kmz,*.asp,*.aspx,*.cer,*.cfm,*.csr,*.css,*.htm,*.html,*.js,*.jsp,*.php,*.rss,*.xhtml,*.crx,*.plugin,*.fnt,*.fon,*.otf,*.ttf,*.cab,*.cpl,*.cur,*.deskthemepack,*.dll,*.dmp,*.drv,*.icns,*.ico,*.lnk,*.sys,*.cfg,*.in0i,*.prf,*.hqx,*.mim,*.uue,*7z,*.cbr,*.deb,*.gz,*.pkg,*.rar,*.rpm,*.sitx,*.tar,*.gz,*.zip,*.zipx,*.bin,*.cue,*.dmg,*.iso,*.mdf,*.toast,*.vcd,*.c,*.class,*.cpp,*.cs,*.dtd,*.fla,*.h,*.java,*.lua,*.m,*.pl,*.py,*.sh,*.sln,*.swift,*.vcxproj,*.xcodeproj,*.bak,*.tmp,*.crdownload,*.ics,*.msi,*.part,*.torrent,*.ini,*.vsd,*.vsdx,*.slax,*.pem,*.xcf,*.pup* | Select-Object
 Directory,BaseName,Extension | Export-Csv .\suspiciousfiles.csv -Append
	
	}

In addition to searching for files impacted by ransomware the script also allows you to restore the impacted files from backups you may have. Backups are in my opinion the best way to over come a ransomware attack. If you have good backups the script will help you more quickly restore the impacted files. The options allow you to take the output of the searching piece of the script and use it to recover those files from the CSV list that is generated during the search. The script also utilizes ROBOCOPY to salvage your premissions on the backedup files. You can see the sample code to do this below:
Recovering files

$csvFilename = ".\suspiciousfiles.csv"
 
$csv = Import-Csv $csvFilename -Header @("Directory","Name","Extension")

$backuppath2 = read-host "Please enter a backup location"

Get-ChildItem -Recurse -Path $backpath2 | Select-Object Directory,BaseName,Extension | Export-Csv .\backupfiles.csv

foreach ($line in $csv) {

$var = $line.directory

$var1 = $line.name

$var2 = $line.extension

$var3 = $var1+".*"

$backpath2 = $backuppath2+$var+"\*.*"

Robocopy $backpath2 $var $var3 /COPYALL

	}

 }

Finally the script offers cleanup options once your files have been restored in an attempt to remove traces of the encrypted files. You can specify the bad file extension of the encrypted files and the script will run through and remove those files to ensure that you do not have any additional files laying around.
Cleanup

$specFilenameEX =  read-host "Please specify an extension to remove from your infected folder tree"

$specfullname = "*."+$specFilenameEX

$infectpath = read-host "Please enter the root path in the folder tree to clean up"

Get-ChildItem $infectpath -recurse -include $specfullname -force | remove-item
	
	}

      Resources
    
Run-RansomRecovery.txt

Readme.txt
<< VIEW PREVIOUS

      Tags
    
Security Vulnerabilities IDS/IPS
      Malware Policies PowerShell
      Python Splunk Cloud
      Script PKI 
    
      Topics
    
        Thoughts

        Scripts

        Published Works

        Courses