For a while, ransomware is a plague… Just by surfing to a website or by opening an invoice received by email, people get a nice popup window while their files are being encrypted. Everyday, we hear about nightmare stories with companies infected by such malicious code and which do not have a proper backup to restore their files. Many times, I received the same question: “What to do if we are victim of a ransomware? Do we pay or not?“. My answer is definitively never pay the ransom! First, you’re not sure to get the key to decrypt your files and this will give more power to the bad guys who will continue to bug us…
The only correct way to get rid of a ransomware is to have a proper backup (and restore!) procedure. But how to demonstrate the impact of a ransomware infection on a computer? Usually, users do not have an idea about the number of targeted files that they have on their computer. And modern ransomware not only encrypt local files but also remote files (stored on network shares or in the cloud – think about solutions like Dropbox).
Because one picture is worth a thousand words, I wrote a small Windows batch files which displays and counts the files targeted by most ransomware. The goal is raise the security awareness and to give a “visual” idea to people who still underestimate the amount of data they have access to. The script scans all the available drives (only “mapped” drives from A-Z) and displays/counts interesting files. The list of extensions is the one used by Locky.
@echo off setlocal enabledelayedexpansion set total=0 cls for %%i in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do ( set DRIVE=%%i:\ if exist !DRIVE! ( call :lookup !DRIVE! ) ) echo Total of files potentially encrypted files: %total% pause goto :eof :lookup set drive=%1 set subtotal=0 echo Scanning %drive% for /r %drive% %%i in (*.m4u *.m3u *.mid *.wma *.flv *.3g2 *.mkv *.3gp *.mp4 *.mov *.avi *.asf *.mpeg *.vob *.mpg *.wmv *.fla *.swf *.wav *.mp3 *.qcow2 *.vdi *.vmdk *.vmx *.gpg *.aes *.ARC *.PAQ *.tar.bz2 *.tbk *.bak *.tar *.tgz *.rar *.zip *.djv *.djvu *.svg *.bmp *.png *.gif *.raw *.cgm *.jpeg *.jpg *.tif *.tiff *.NEF *.psd *.cmd *.bat *.class *.jar *.java *.asp *.brd *.sch *.dch *.dip *.vbs *.asm *.pas *.cpp *.php *.ldf *.mdf *.ibd *.MYI *.MYD *.frm *.odb *.dbf *.mdb *.sql *.SQLITEDB *.SQLITE3 *.asc *.lay6 *.lay *.ms11 *.sldm *.sldx *.ppsm *.ppsx *.ppam *.docb *.mml *.sxm *.otg *.odg *.uop *.potx *.potm *.pptx *.pptm *.std *.sxd *.pot *.pps *.sti *.sxi *.otp *.odp *.wb2 *.123 *.wks *.wk1 *.xltx *.xltm *.xlsx *.xlsm *.xlsb *.slk *.xlw *.xlt *.xlm *.xlc *.dif *.stc *.sxc *.ots *.ods *.hwp *.602 *.dotm *.dotx *.docm *.docx *.DOT *.3dm *.max *.3ds *.xml *.txt *.CSV *.uot *.RTF *.pdf *.XLS *.PPT *.stw *.sxw *.ott *.odt *.DOC *.pem *.p12 *.csr *.crt *.key) do ( echo %%i set /a subtotal=subtotal + 1 set /a total=total + 1 ) echo Detected files: %subtotal% pause goto :eof
Here is a sample output:
C:\temp> locky_targets.bat Scanning c:\ <stuff deleted> Detected files: 12685 Press any key to continue . . . Scanning y:\ <stuff deleted> Detected files: 882 Press any key to continue . . . Total of files potentially encrypted files: 13567 Press any key to continue . . . C:\temp>
The output was generated on a simple Windows 7 VM with no much data on it and only one connected share (Y:). 13K+ files… Impressive no? One last question: How old is your last backup?