Get in touch with us!

How to solve poor man’s crypto ransomware

The ransom-ware out the have been around for a while and people have finally seen the benefits of cloud storage. But files are still synced to a local folder on the computer and are therefore still vulnerable. Microsoft helps customer to restore batches of files that have been encrypted so most of the data will be in good hands regardless.

But the ransom-ware creators know this. So by doing a renaming attack instead, the cloud vendors are unable to help because they don’t see the renaming of a file as a file changes and no file history is ever created.

One type of ransom-ware we came across just added a new random file extension to all the files. No encryption was ever made and the extensions followed a pattern so restoring the files was easy.

By using this simple PowerShell script I was able to rename all the files back to their original names.

The regex pattern I used is, “\.[\w]{1,6}\.[\w]{6}$”. Is matches a string which ends with a dot followed by 1-6 characters followed by another dot and end with exactly 6 characters. Of course there is a chance of false positives, so comment out the “rename-item”-part of the script until you know it’s doing the right thing.

cd C:\test
$files = Get-ChildItem -Recurse 
$files | ? {$_.Name -match "\.[\w]{1,6}\.[\w]{6}$"} | % {
    [string]$newName = $_.Name.Substring(0,$_.Name.Length - 7)
    write-host ("Renaming {1} New name {0}" -f $_.Name.Substring(0,$_.Name.Length - 7),$_.Name)
    rename-Item -Path $_.FullName -NewName $newName 
}

The result after the script.

Submit a Comment

Your email address will not be published. Required fields are marked *