The RansomwareRestore module was created after my work had repeated malware infections, which took client's file servers offline for days at a time. This module was developed to accelerate the identification, restoration, and cleanup of encrypted files in our environment. Currently this module can only restore from netapp snapshots, but more backup/restore method could be added over time. The future versions of this module will be built to allow for this change.
To use this module, the following two modules are required in order to work properly (when netapp is no longer the only restoration option possible, the dataontap module will no longer be required.
- NTFSSecurity Original Version: http://ntfssecurity.codeplex.com Recommended version: https://github.com/armentpau/NTFSSecurity (this fixes some issues with hidden folders/files)
- DataOnTap module for netapp (you need to be a netapp customer to download)
The name of the netapp controller to connect to
The name of the vserver to connect to. Usually the format of this is svm_XXXXXXfs01
A credential object that can be passed to the script. The format of the username is DOMAIN\Username with the domain in ALL UPPERCASE. If the domain is not in all uppercase the login will fail.
The username of a user that has access to netapp that can be passed to the script. The format of the username is DOMAIN\Username with the domain in ALL UPPERCASE. If the domain is not in all uppercase the login will fail. The script will prompt for the password through a secure form if this option is choosen.
Generates a list of encrypted files on the file system.
This script relies on the command get-vcpirandomewarefamily to determine how to search for encrypted files on the network share. This script will, based on this information, be able to identify and output to the screen or to a variable a list of objects that have been encrypted.
An object identifying the family of RansomWare that has encrypted the network file share
The path to search for encrypted files
PS C:>
get-EncryptedFiles -RansomWareFamily (get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc") -searchPath "C:\folder"The parameter RansomWareFamily is expecting the output object from get-RansomWareFamily. This can either be stored in a variable or called at runtime.
PS C:>
get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc" | get-EncryptedFiles -searchPath "c:\folder"The parameter RansomWareFamily is expecting the output object from get-RansomWareFamily. This can either be stored in a variable or called at runtime.
PS C:>
$family = get-RansomWareFamily -firstFilePath = "c:\testtxt.txt" -secondFilePath = "c:\testdoc.doc"
get-EncryptedFiles -RansomWareFamily $family -searchPath "c:\folder"The parameter RansomWareFamily is expecting the output object from get-RansomWareFamily. This can either be stored in a variable or called at runtime.
Determines the type of RansomWare depending on the input of two files
The first file to analyze
The second file to analyze
PS C:>
get-EncryptedFiles -RansomWareFamily (get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc") -searchPath "C:\folder"PS C:>
get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc" | get-EncryptedFiles -searchPath "c:\folder"PS C:>
$family = get-RansomWareFamily -firstFilePath = "c:\testtxt.txt" -secondFilePath = "c:\testdoc.doc"
get-EncryptedFiles -RansomWareFamily $family -searchPath "c:\folder"Removes a list of encrypted files from the file share
A list of files to remove. This list is an object which should be provided by Get-VCPIEncryptedFiles or Get-VCPICleanupFiles
PS C:>
Remove-EncryptedFiles -removelist $listUse a list of files from Get-Cleanupfiles command to remove from the file server. You can also use a list from Get-EncryptedFiles instead. This is basically a cleanup function.
PS C:>
Remove-EncryptedFiles -removelist $listThis function works with other commands to restore files on the netapp file system from snapshots. The command lists all of the available snapshots and then works on restoring the files.
A list of files to restore. This list is an object which should be provided by Get-VCPIEncryptedFiles
The netapp file server to connect to. This is usually in the format of svm_XXXXXfs01.
The name of the netapp controller to connect to
A credential object that can be passed to the script. The format of the username is DOMAIN\Username with the domain in ALL UPPERCASE. If the domain is not in all uppercase the login will fail.
The path of the netapp volume. Usually this is in the format of /svm_XXXXXfs01_data
The Incident/Task number from Service now
The date to restore the files to. This is in the format of M/D/YYYY Examples: 3/31/2016 3/1/2016 12/1/2016
The base of the file string in the file path to replace with the temporary share path. This is usually in the format of: \XXXXXFS01\c$\svm_XXXXXFS01_data
If this flag is selected the files will be deleted first in the original location and then copied over. This is due to working with file paths longer than 256 characters
The username of a user that has access to netapp that can be passed to the script. The format of the username is DOMAIN\Username with the domain in ALL UPPERCASE. If the domain is not in all uppercase the login will fail. The script will prompt for the password through a secure form if this option is choosen.
An object identifying the family of RansomWare that has encrypted the network file share, this object is from the Get-VCPIRansomwareFamily command
PS C:>
Restore-EncryptedFiles -restoreList $list -netappFileServer svm_XXXXXXfs01 -netappController netapp01 -netAppCredential $credential -restoreBase /svm_XXXXXXfs01_data -incidentNumber INCTEST12 -restoreDate 3/27/2016 -fileSystemBase \\XXXXXXfs01\c$\svm_XXXXXXfs01_data -Overwrite -ransomwareFamily $encryptedFamilyUsing the netappCredential parameter, you pass a credential object to the command. This can easy be created by using the following command: $credential = get-credential
PS C:>
Restore-EncryptedFiles -restoreList $list -netappFileServer svm_XXXXXXfs01 -netappController netapp01 -netAppCredential $credential -restoreBase /svm_XXXXXXfs01_data -incidentNumber INCTEST12 -restoreDate 3/27/2016 -fileSystemBase \\XXXXXXfs01\c$\svm_XXXXXXfs01_data -Overwrite -ransomwareFamily (get-RansomwareFamily -firstfile path c:\admin\test.txt -secondfilepath c:\admin\test2.txt)Using the netappCredential parameter, you pass a credential object to the command. This can easy be created by using the following command: $credential = get-credential
PS C:>
Restore-EncryptedFiles -restoreList $list -netappFileServer svm_XXXXXXfs01 -netappController netapp01 -netAppUsername DOMAIN\Username -restoreBase /svm_XXXXXXfs01_data -incidentNumber INCTEST12 -restoreDate 3/27/2016 -fileSystemBase \\XXXXXXfs01\c$\svm_XXXXXXfs01_data -Overwrite -ransomwareFamily (get-RansomwareFamily -firstfile path c:\admin\test.txt -secondfilepath c:\admin\test2.txt)Using the NetAppUsername parameter and filling in the username, you are prompted for your password
Gets a list of files left over by the ransomware that are not encrypted
This command retrieves a list of files left by the ransomware which are not encrypted. These filese are usually the ransomware notification messages and are trypically .html, .txt and an image file (.png, .jpeg, etc)
Use the filter to filter the files on the file system by a unique value. Typically this will be a specific name of the ransomeware notes that is in three different formats. DO NOT USE WILDCARDS.
The root path to search for the files to cleanup.
PS C:>
Get-CleanupFiles -filter "HelpDecrypt_" -searchPath "c:\"