Search for files encrypted by Crypto Virus


Today I will talk about crypto viruses. This is one of the ugliest virus types. Our company much suffers from them. Antiviruses just let them do their work until we get all files encrypted. It is not a big deal, since we have backups. But first we need to identify on what to restore.

You can find vocabularies of file extensions that crypto viruses used in the past. For now they go smarter and file extension for encrypted files is just 6 random letters.

For a long time I was searching for the script that can identify for me such encrypted files, but found nothing. So I decided to make my own script. Here are the requirements I had:

  1. It should work quick. Users have network disks mapped, and storage there can be 20-30 TB of data, so search can take very long time
  2. It should handle unicode symbols in files names
  3. It should handle double file extensions, like or some others
  4. It should support long file names

As result I got Powershell script

You will need to change 4 first strings to your data. №1 is the path where you want to do a search for encrypted files. №2 is to save temporary file. №3 is your file with scan results №4 is how many days ago do you think virus encrypted the files

$PathToCheck = “\\server\folder”                                          #where to search for encrypted files
$LogFilePath = “C:\Installation\group_scan.txt”              #temporary file which fill collect all file names from specified sourse
$ResultsOutput = “C:\Installation\res.txt”                          #File with results of scanning
$EncryptedFilesAge = “3”                                                          #Search only for files created less then X days ago
$EncryptedFilesAge =”/MAXAGE:” + $EncryptedFilesAge
$params = New-Object System.Collections.Arraylist
$params.AddRange(@(“/L”,”*.*”,”/S”,”/NJH”,”/BYTES”,”/FP”,”/NC”,”/NDL”,”/TS”,”/XJ”,”/R:0″,”/NP”,”/W:0″,”/NJH”,”/NJS”,”/NS”,”$EncryptedFilesAge”,”/MT:128″,”/UNILOG:$LogFilePath”)) #Parameters for Robocopy execution
write-host @(Get-Date)
& robocopy $PathToCheck NULL $params #execute robocopy, just logging, nothing will be copied/removed/moved/renamed
write-host @(Get-Date)
(Select-String -Path $LogFilePath -Pattern “[.]+([a-zA-Z]{6})+$” -Encoding Default | select “Line”).Line |  Format-Table -Wrap -HideTableHeaders | Out-File $ResultsOutput -Encoding Default #Filter file names by “.” + 6 random letters + end of string
write-host @(Get-Date)

Script is using robocopy to handle long file names, unicode symbols and processing speed. Unfortunately last 2 options appeared only for robocopy for windows 2012R2 (maybe 2012 also). So script is designed to work on windows 2012R2.

Script does full scan of 1.82TB of data during 12minutes

But if you know that virus encrypted files just few days ago (parameter #4) then same amount of data it scans less then 1 minute!!!

Here are some improvements that can be done:

  1. Add support of multiple sources
  2. Send results by mail
  3. Handle exceptions
  4. Add some logic to display only root folders that need to be restored, but not all the files
  5. Improve file mask to search only for file with duplicate extensions, like document.docx.asdjkl
  6. Add possibility for script user to add mask by himself, cause extension and principles on how crypto virus works might be changed

If you have any questions pls reach me on

#CryptoVirus #Crypto Virus #6 random characters extension #powershell #robocopy #windows 2012


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s