Find Files Renamed By The Crypto or Wanna Cry Ransomware Viruses

Find Files Renamed By The Crypto or Wanna Cry Ransomware Viruses

Details

Summary

Over the past few years computer systems everywhere have been dealing with ransomeware viruses. Crypo, Wanna Cry, and others have hit networks all over the world. How can I find these infected files, so I can restore them from back up?

Back Story

A school district got infected with the Crypto Virus and needed a way to find all files that had been renamed to include the word "decrypt" in any part of the file name. This would give them the list needed recover these files from backup. Simularly, Wanna Cry infects the name of the file and concatenates on .WNCRY to the end of the filename.

This query can be modified to search for any partial word in filenames, by modifying the last two lines of the query.

Code
 SELECT
    sd.fullpath,
    sd.name,
    sd.size,
    srs.byte_string(sd.size) AS size_string,
    sd.owner_display_name
FROM
    srs.current_fs_scandata AS sd
WHERE
    sd.name LIKE '%decrypt%' or
    sd.name LIKE '%wncry%'
Author
richlagger
Post date
Wednesday, March 4, 2015 - 15:25
Last modified
Friday, April 15, 2022 - 12:15
Properties
Supported Version
4.1
4.0
3.6
Report Category
File System
Includes a Report Layout
No
Databases
SQL Server
PostgreSQL
Tags
eDirectory
Active Directory
Downloads
AttachmentSize
Find files with decrypt or wncry in filename.zip379 bytes