Search for files encrypted by Crypto Virus


Today I will talk about crypto viruses. This is one of the ugliest virus types. Our company much suffers from them. Antiviruses just let them do their work until we get all files encrypted. It is not a big deal, since we have backups. But first we need to identify on what to restore.

You can find vocabularies of file extensions that crypto viruses used in the past. For now they go smarter and file extension for encrypted files is just 6 random letters.

For a long time I was searching for the script that can identify for me such encrypted files, but found nothing. So I decided to make my own script. Here are the requirements I had:

  1. It should work quick. Users have network disks mapped, and storage there can be 20-30 TB of data, so search can take very long time
  2. It should handle unicode symbols in files names
  3. It should handle double file extensions, like or some others
  4. It should support long file names

As result I got Powershell script

You will need to change 4 first strings to your data. №1 is the path where you want to do a search for encrypted files. №2 is to save temporary file. №3 is your file with scan results №4 is how many days ago do you think virus encrypted the files

$PathToCheck = “\\server\folder”                                          #where to search for encrypted files
$LogFilePath = “C:\Installation\group_scan.txt”              #temporary file which fill collect all file names from specified sourse
$ResultsOutput = “C:\Installation\res.txt”                          #File with results of scanning
$EncryptedFilesAge = “3”                                                          #Search only for files created less then X days ago
$EncryptedFilesAge =”/MAXAGE:” + $EncryptedFilesAge
$params = New-Object System.Collections.Arraylist
$params.AddRange(@(“/L”,”*.*”,”/S”,”/NJH”,”/BYTES”,”/FP”,”/NC”,”/NDL”,”/TS”,”/XJ”,”/R:0″,”/NP”,”/W:0″,”/NJH”,”/NJS”,”/NS”,”$EncryptedFilesAge”,”/MT:128″,”/UNILOG:$LogFilePath”)) #Parameters for Robocopy execution
write-host @(Get-Date)
& robocopy $PathToCheck NULL $params #execute robocopy, just logging, nothing will be copied/removed/moved/renamed
write-host @(Get-Date)
(Select-String -Path $LogFilePath -Pattern “[.]+([a-zA-Z]{6})+$” -Encoding Default | select “Line”).Line |  Format-Table -Wrap -HideTableHeaders | Out-File $ResultsOutput -Encoding Default #Filter file names by “.” + 6 random letters + end of string
write-host @(Get-Date)

Script is using robocopy to handle long file names, unicode symbols and processing speed. Unfortunately last 2 options appeared only for robocopy for windows 2012R2 (maybe 2012 also). So script is designed to work on windows 2012R2.

Script does full scan of 1.82TB of data during 12minutes

But if you know that virus encrypted files just few days ago (parameter #4) then same amount of data it scans less then 1 minute!!!

Here are some improvements that can be done:

  1. Add support of multiple sources
  2. Send results by mail
  3. Handle exceptions
  4. Add some logic to display only root folders that need to be restored, but not all the files
  5. Improve file mask to search only for file with duplicate extensions, like document.docx.asdjkl
  6. Add possibility for script user to add mask by himself, cause extension and principles on how crypto virus works might be changed

If you have any questions pls reach me on

#CryptoVirus #Crypto Virus #6 random characters extension #powershell #robocopy #windows 2012


Windows 2012R2 RDS CAL reporting script

Hi, long time we were keeping silent, but not it is a time for some news.

Here i found a script for reporting of per user RDP CAL licenses usage, however my license server was windows 2012r2, so original script was not working. So I changed it to work and also added section to send results by mail, here you go:

# Filename of the export
$filename = “RDS-CAL-Report.csv”
# Import RDS PowerShell Module
import-module remotedesktopservices

# Open RDS Location
Set-Location -path rds:

# Remove previous reports (Optional)
remove-item RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports\* -Recurse

# Create new RDS report
Invoke-WmiMethod -Class Win32_TSLicenseReport -Name GenerateReportEx

# Name is automatically generated
$NewReportName = Get-ChildItem RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports -name

# Get issued licenses
$IssuedLicenseCount = get-item RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports\$NewReportName\Win8\IssuedCount
# Count issued licenses
$IssuedLicenseCountValue = $IssuedLicenseCount.CurrentValue

# Get installed licenses
$InstalledLicenseCount = get-item RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports\$NewReportName\Win8\InstalledCount
# Count installed licenses
$InstalledLicenseCountValue = $InstalledLicenseCount.CurrentValue

# Installed – Issued
$Available = $InstalledLicenseCount.CurrentValue – $IssuedLicenseCount.CurrentValue
# Show percentage available
$AvailablePercent = ($Available /$InstalledLicenseCount.CurrentValue)*100
$AvailablePercent = “{0:N0}” -f $AvailablePercent

# Display info

Write-host “Installed: $InstalledLicenseCountValue”
Write-host “Issued: $IssuedLicenseCountValue”
Write-host “Available: $Available [ $AvailablePercent % ]”

# Add the information into an Array

[System.Collections.ArrayList]$collection = New-Object System.Collections.ArrayList($null)
$obj = @{
Installed = $InstalledLicenseCountValue
Available = $Available
AvailablePercent = $AvailablePercent
Issued = $IssuedLicenseCountValue
Date = get-date

# Exit RDS location
set-location c:

# Create PSO Object with the data
$collection.Add((New-Object PSObject -Property $obj));

# Export Data into a file
$collection | export-csv $filename -NoTypeInformation -Encoding UTF8

#send mail

#Modify to your SMTP server
$smtpServer = “”

#Modify to your path where report generated
$file = “C:\script\RDS-CAL-Report.csv”
$att = new-object Net.Mail.Attachment($file)
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = “”

#Modify recipients

$msg.Subject = “server licenses usage reporting”
$msg.Body = “Monthly license reporting, refer your question to me”