Scanning for Encrypted Files (Cryptolocker)

Posted on 2013-10-17
Medium Priority
Last Modified: 2013-11-22
Our office was hit with the Cryptolocker Virus and wiped out a good portion of our file shares.  We're in the process of restoring the files from backup, but some files were encrypted earlier in the week, while others were encrypted yesterday.

We've restored yesterday (and thus most of the files), but i'm afraid that there's going to be a mix of encrypted files from earlier in the week that are still encrypted.  Using the regedit method to track the keys the virus placed doesn't look like its going to locate all the files for us.

Does anyone know of a tool to scan folders for encrypted files and provide a list (particularly the encryption of the Cryptolocker) so we can piece together what needs to be restored still?
Question by:garyttu
  • 2
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39581684
As found in one of the forum the filename and filepath are located under one registry key.


Below is the snippet from the link:
CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY\Software\CryptoLocker\Files Registry key.

Sudeep Sharma
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39581692
And there are other methods too, posted on the same post link provided in the previous post.

How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool that I have created:


When you run this tool it will generate a log file that contains a list of all encrypted files found under the HKCU\Software\CryptoLocker\Files key. Once it has completed it will automatically open this log in Notepad.

Another method is to use the Windows PowerShell (thanks prsgroup):

For systems with PowerShell, you can dump the list of files in the CryptoLocker registry key using the following command:

    (Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Make sure to include the "-Encoding unicode" parameter to ensure that filenames with Unicode characters are preserved.


Author Comment

ID: 39581733
Those are the registry entry methods I referred to above and i'm afraid they are not sufficient.  Not all files that are encrypted were listed in the registry of our two infected computers.

I'm instead looking for a scanner of the actual files...
LVL 27

Accepted Solution

tliotta earned 2000 total points
ID: 39582420
Not all files that are encrypted were listed in the registry of our two infected computers.

That would be a very difficult thing to know. That is, you could determine that a file was corrupted or replaced; but it would be near impossible to determine if it was encrypted rather than garbage. And it would be harder to determine if it was encrypted by Cryptolocker.

Also, if Cryptolocker encrypted a file through a mapped drive, what system would likely hold the related registry key?


Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question