The Impact of a Ransomware Infection

RansomwareFor a while, ransomware is a plague… Just by surfing to a website or by opening an invoice received by email, people get a nice popup window while their files are being encrypted. Everyday, we hear about nightmare stories with companies infected by such malicious code and which do not have a proper backup to restore their files. Many times, I received the same question: “What to do if we are victim of a ransomware? Do we pay or not?“. My answer is definitively never pay the ransom! First, you’re not sure to get the key to decrypt your files and this will give more power to the bad guys who will continue to bug us…

The only correct way to get rid of a ransomware is to have a proper backup (and restore!) procedure. But how to demonstrate the impact of a ransomware infection on a computer? Usually, users do not have an idea about the number of targeted files that they have on their computer. And modern ransomware not only encrypt local files but also remote files (stored on network shares or in the cloud – think about solutions like Dropbox).

Because one picture is worth a thousand words, I wrote a small Windows batch files which displays and counts the files targeted by most ransomware. The goal is raise the security awareness and to give a “visual” idea to people who still underestimate the amount of data they have access to. The script scans all the available drives (only “mapped” drives from A-Z) and displays/counts  interesting files. The list of extensions is the one used by Locky.

@echo off
setlocal enabledelayedexpansion
set total=0
cls
for %%i in (a b c d e f g h i j k l m n o p q r s t u v w x y z) do (
  set DRIVE=%%i:\
  if exist !DRIVE! (
    call :lookup !DRIVE!
  )
)
echo Total of files potentially encrypted files: %total%
pause
goto :eof

:lookup
set drive=%1
set subtotal=0
echo Scanning %drive%
for /r %drive% %%i in (*.m4u *.m3u *.mid *.wma *.flv *.3g2 *.mkv *.3gp *.mp4 *.mov *.avi *.asf *.mpeg *.vob *.mpg *.wmv *.fla *.swf *.wav *.mp3 *.qcow2 *.vdi *.vmdk *.vmx *.gpg *.aes *.ARC *.PAQ *.tar.bz2 *.tbk *.bak *.tar *.tgz *.rar *.zip *.djv *.djvu *.svg *.bmp *.png *.gif *.raw *.cgm *.jpeg *.jpg *.tif *.tiff *.NEF *.psd *.cmd *.bat *.class *.jar *.java *.asp *.brd *.sch *.dch *.dip *.vbs *.asm *.pas *.cpp *.php *.ldf *.mdf *.ibd *.MYI *.MYD *.frm *.odb *.dbf *.mdb *.sql *.SQLITEDB *.SQLITE3 *.asc *.lay6 *.lay *.ms11 *.sldm *.sldx *.ppsm *.ppsx *.ppam *.docb *.mml *.sxm *.otg *.odg *.uop *.potx *.potm *.pptx *.pptm *.std *.sxd *.pot *.pps *.sti *.sxi *.otp *.odp *.wb2 *.123 *.wks *.wk1 *.xltx *.xltm *.xlsx *.xlsm *.xlsb *.slk *.xlw *.xlt *.xlm *.xlc *.dif *.stc *.sxc *.ots *.ods *.hwp *.602 *.dotm *.dotx *.docm *.docx *.DOT *.3dm *.max *.3ds *.xml *.txt *.CSV *.uot *.RTF *.pdf *.XLS *.PPT *.stw *.sxw *.ott *.odt *.DOC *.pem *.p12 *.csr *.crt *.key) do (
  echo %%i
  set /a subtotal=subtotal + 1
  set /a total=total + 1
)
echo Detected files: %subtotal%
pause
goto :eof

Here is a sample output:

C:\temp> locky_targets.bat
Scanning c:\
<stuff deleted>
Detected files: 12685
Press any key to continue . . .
Scanning y:\
<stuff deleted>
Detected files: 882
Press any key to continue . . .
Total of files potentially encrypted files: 13567
Press any key to continue . . .
C:\temp>

The output was generated on a simple Windows 7 VM with no much data on it and only one connected share (Y:). 13K+ files… Impressive no? One last question: How old is your last backup?

20 comments

  1. That’s not the goal of the script! 🙂 It just search for “interesting files” (read: the ones ending with the extensions handled by Locky) and display the total of files found… Simple and stupid! But the idea to implement more checks is interesting…

  2. sorry, but if the script does not check if the files are really at risk – whats the benefit? In addition new malware may look for different file types … so I could just check how many files are on my local harddrive.
    And btw – regarding security: as the script does not check available shares – a user may think his files are save while stored on his NAS (as tha script doesn’t list them) – that could be a BIG mistake

  3. I’ve put the code into a .txt, changed into .cmd, but I don’t see the counter for potential files to be encrypted.
    Where is my error? 🙂

  4. The goal is just to list files potentially targeted by a ransomware, not to check if they are really readable/writable 😉

  5. OUCH!

    The script fails to check whether these files could be overwritten/deleted in the first place!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.