Find Files Renamed By The Crypto or Wanna Cry Ransomeware Viruses
Over the past few years computer systems everywhere have been dealing with ransomeware viruses. Crypo, Wanna Cry, and others have hit networks all over the world. How can I find these infected files, so I can restore them from back up?
A school district got infected with the Crypto Virus and needed a way to find all files that had been renamed to include the word "decrypt" in any part of the file name. This would give them the list needed recover these files from backup. Simularly, Wanna Cry infects the name of the file and concatenates on .WNCRY to the end of the filename.
SELECT sd.fullpath, sd.name, sd.size, srs.byte_string(sd.size) AS size_string, sd.owner_display_name FROM srs.current_fs_scandata AS sd WHERE sd.name LIKE '%decrypt%' or sd.name LIKE '%wncry%'
|Find files with decrypt or wncry in filename.zip||379 bytes|