Find Files Renamed By The Crypto or Wanna Cry Ransomeware Viruses
Details
Summary
Over the past few years computer systems everywhere have been dealing with ransomeware viruses. Crypo, Wanna Cry, and others have hit networks all over the world. How can I find these infected files, so I can restore them from back up?
Back Story
A school district got infected with the Crypto Virus and needed a way to find all files that had been renamed to include the word "decrypt" in any part of the file name. This would give them the list needed recover these files from backup. Simularly, Wanna Cry infects the name of the file and concatenates on .WNCRY to the end of the filename.
Code
SELECT sd.fullpath, sd.name, sd.size, srs.byte_string(sd.size) AS size_string, sd.owner_display_name FROM srs.current_fs_scandata AS sd WHERE sd.name LIKE '%decrypt%' or sd.name LIKE '%wncry%'
Post date
Wednesday, March 4, 2015 - 15:25
Last modified
Wednesday, June 28, 2017 - 15:49
Downloads
Attachment | Size |
---|---|
![]() | 379 bytes |