Scanning for Encrypted Files (Cryptolocker)

Our office was hit with the Cryptolocker Virus and wiped out a good portion of our file shares.  We're in the process of restoring the files from backup, but some files were encrypted earlier in the week, while others were encrypted yesterday.

We've restored yesterday (and thus most of the files), but i'm afraid that there's going to be a mix of encrypted files from earlier in the week that are still encrypted.  Using the regedit method to track the keys the virus placed doesn't look like its going to locate all the files for us.

Does anyone know of a tool to scan folders for encrypted files and provide a list (particularly the encryption of the Cryptolocker) so we can piece together what needs to be restored still?
garyttuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sudeep SharmaTechnical DesignerCommented:
As found in one of the forum the filename and filepath are located under one registry key.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Below is the snippet from the link:
CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY\Software\CryptoLocker\Files Registry key.

Thanks,
Sudeep Sharma
0
Sudeep SharmaTechnical DesignerCommented:
And there are other methods too, posted on the same post link provided in the previous post.

How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool that I have created:

    http://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files found under the HKCU\Software\CryptoLocker\Files key. Once it has completed it will automatically open this log in Notepad.

Another method is to use the Windows PowerShell (thanks prsgroup):

For systems with PowerShell, you can dump the list of files in the CryptoLocker registry key using the following command:

    (Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Make sure to include the "-Encoding unicode" parameter to ensure that filenames with Unicode characters are preserved.

Sudeep
0
garyttuAuthor Commented:
Those are the registry entry methods I referred to above and i'm afraid they are not sufficient.  Not all files that are encrypted were listed in the registry of our two infected computers.

I'm instead looking for a scanner of the actual files...
0
tliottaCommented:
Not all files that are encrypted were listed in the registry of our two infected computers.

That would be a very difficult thing to know. That is, you could determine that a file was corrupted or replaced; but it would be near impossible to determine if it was encrypted rather than garbage. And it would be harder to determine if it was encrypted by Cryptolocker.

Also, if Cryptolocker encrypted a file through a mapped drive, what system would likely hold the related registry key?

Tom
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.