Search for files encrypted by Crypto Virus

Hey!

Today I will talk about crypto viruses. This is one of the ugliest virus types. Our company much suffers from them. Antiviruses just let them do their work until we get all files encrypted. It is not a big deal, since we have backups. But first we need to identify on what to restore.

You can find vocabularies of file extensions that crypto viruses used in the past. For now they go smarter and file extension for encrypted files is just 6 random letters.

For a long time I was searching for the script that can identify for me such encrypted files, but found nothing. So I decided to make my own script. Here are the requirements I had:

  1. It should work quick. Users have network disks mapped, and storage there can be 20-30 TB of data, so search can take very long time
  2. It should handle unicode symbols in files names
  3. It should handle double file extensions, like document.doc.ba or some others
  4. It should support long file names

As result I got Powershell script

You will need to change 4 first strings to your data. №1 is the path where you want to do a search for encrypted files. №2 is to save temporary file. №3 is your file with scan results №4 is how many days ago do you think virus encrypted the files

$PathToCheck = “\\server\folder”                                          #where to search for encrypted files
$LogFilePath = “C:\Installation\group_scan.txt”              #temporary file which fill collect all file names from specified sourse
$ResultsOutput = “C:\Installation\res.txt”                          #File with results of scanning
$EncryptedFilesAge = “3”                                                          #Search only for files created less then X days ago
$EncryptedFilesAge =”/MAXAGE:” + $EncryptedFilesAge
$params = New-Object System.Collections.Arraylist
$params.AddRange(@(“/L”,”*.*”,”/S”,”/NJH”,”/BYTES”,”/FP”,”/NC”,”/NDL”,”/TS”,”/XJ”,”/R:0″,”/NP”,”/W:0″,”/NJH”,”/NJS”,”/NS”,”$EncryptedFilesAge”,”/MT:128″,”/UNILOG:$LogFilePath”)) #Parameters for Robocopy execution
write-host @(Get-Date)
& robocopy $PathToCheck NULL $params #execute robocopy, just logging, nothing will be copied/removed/moved/renamed
write-host @(Get-Date)
(Select-String -Path $LogFilePath -Pattern “[.]+([a-zA-Z]{6})+$” -Encoding Default | select “Line”).Line |  Format-Table -Wrap -HideTableHeaders | Out-File $ResultsOutput -Encoding Default #Filter file names by “.” + 6 random letters + end of string
write-host @(Get-Date)

Script is using robocopy to handle long file names, unicode symbols and processing speed. Unfortunately last 2 options appeared only for robocopy for windows 2012R2 (maybe 2012 also). So script is designed to work on windows 2012R2.

Script does full scan of 1.82TB of data during 12minutes

But if you know that virus encrypted files just few days ago (parameter #4) then same amount of data it scans less then 1 minute!!!

Here are some improvements that can be done:

  1. Add support of multiple sources
  2. Send results by mail
  3. Handle exceptions
  4. Add some logic to display only root folders that need to be restored, but not all the files
  5. Improve file mask to search only for file with duplicate extensions, like document.docx.asdjkl
  6. Add possibility for script user to add mask by himself, cause extension and principles on how crypto virus works might be changed

If you have any questions pls reach me on iurii.iashchenko@gmail.com

#CryptoVirus #Crypto Virus #6 random characters extension #powershell #robocopy #windows 2012

Insufficient system resources exist to complete the requested service!

Hi everybody!  Here is some more information about different issues we are facing each day!

Trying to copy huge (70Gb) database backup from one disk to another I got an error message that insufficient system resources exist to complete the requested service.

Untitled

The first, I was thinking about was to use robocopy command prompt tool, which is optimized to work with file operations

Untitled1

Despite all retries, it was not able to copy a file. Server is an old windows 2003 virtual machine on vmware with 6GB of RAM used as database server for some old applications. I am sure that server restart would fix this problem for some time, but server is in use and I had to think some other workarounds. I tried to copy smaller files, like 8GB and it worked fine.

I downloaded and installed 7-zip archiver on server, and started it to add file to archive. Compression usually takes a lot of time, so I set compression level to “Store” (no compression) and in the “Split” to volumes I choose 8Gb parts.

Untitled3

After operation completed I copied all 9 files to destination without any issues, opened first of them and extracted complete file.