You are not logged in.
Is someone willing to craft me a script? The system is Win10 if Powershell or some other interface is easier. It is a system that suffered a ransomware infection. The files were decrypted (Nemucod). The originals should not be deleted until it is verified the data copies that were created are correct. There are too many to do in a short term.
The goal is to find all files with the crypted extension and transfer them to another partition while maintaining the directory structure.
E. G.
c:\file1.crypted
c:\stuff\file8.crypted
moved to
e:\file1.crypted
e:\stuff\file8.crypted .
Keeping the file attributes including security would be beneficial. Robocopy may offer this functionality. After multiple attempts I was unable to correctly utilize it.
Thanks in advance.
Last edited by corhsin (08 Jun 2017 04:08)
Offline
Theres a powershell script here I think you could adapt
https://ss64.org/viewtopic.php?id=453
Change the part that looks for 0 bytes to look instead for the file extension, you will probably also need to swap around what gets copied where, but I think the basic structure will get you started.
Offline
Hi
You can give a try for this batch file :
@echo off
Color 9E & Mode con cols=80 lines=3
Title Search and backup Crypted files by a Ransomware by Hackoo 2017
echo(
echo Please wait ... Search and backup of your crypted files is in progress ...
set "LogSearch=%~dpn0.txt"
set Pattern="*.Crypted"
set "Backup_Crypted_Folder=E:\Backup_Crypted_Folder"
Where /R C:\ "%Pattern%" /F >"%LogSearch%" 2>&1
If "%ErrorLevel%" EQU "1" (
Cls
echo(
echo --------------------------------------------------------------------------
@echo No file found with this Pattern
echo --------------------------------------------------------------------------
) else (
@for /f "delims=" %%A in ('Type "%LogSearch%"') do (
if not exist "%%~fA\*" (
md "%Backup_Crypted_Folder%%%~pA">nul 2>&1
@copy /Y /N "%%~fA" "%Backup_Crypted_Folder%%%~pnxA">nul 2>&1
)
)
)
Explorer "%Backup_Crypted_Folder%"
Last edited by Hackoo (18 May 2017 16:10)
Offline
That is great. I will give it a go in just a few hours. I was looking over this (viewtopic.php?id=1538) in hopes it could be adapted. I will let you know when it is up again. Thank you!
Offline
I finally accomplished this. The scan took hours after I had to repartition to account for 100GB of data. It made copies of the .CRYPTED files on E:. Was that the intent? I am looking this over to modify it, to copy the files with the security attributes (via Robocopy?). I then intend all files on 'C' have the .CRYPTED extension removed. Robocopy doable? Some of my initial, failed, attempts are included below. Thank you.
ROBOCOPY source destination [file [file]...] [options]
robocopy c:\ c:\infected_copies\ *.crypted /e /zb /copyall /move /dcopy:dat /eta /log:c:\infected_copies\robocopy_log.txt /tee /save c:\infected_copies\robocopy_job /xd "System Volume Information"
robocopy c:\ c:\Infected_Copies\ Longestfilenameever1234.* /s /zb /copyall /move /dcopy:dat /eta /xd "System Volume Information" /xj /r:5 /w:1 /log:c:\Infected_Copies\Robocopy_Log.txt /tee /save:c:\Infected_Copies\Robocopy_Job
Undo the above:
robocopy c:\Infected_Copies\ c:\ Longestfilenameever1234.* /s /zb /copyall /move /dcopy:dat /eta /xd "System Volume Information" /xj /r:5 /w:1 /log:c:\Infected_Copies\Robocopy_Log.txt /tee /save:c:\Infected_Copies\Robocopy_Job
:: Robocopy Job C:\INFECTED_COPIES\ROBOCOPY_JOB.RCJ
:: Created by xx on Monday, May 08, 2017 at 2:56:37 PM
:: Source Directory :
/SD:c:\Infected_Copies\ :: Source Directory.
:: Destination Directory :
/NODD :: NO Destination Directory is specified.
:: Include These Files :
/IF :: Include Files matching these names
Longestfilenameever1234.*
/XJ :: eXclude Junction points. (normally included by default).
:: Exclude These Directories :
/XD :: eXclude Directories matching these names
System Volume Information
:: Exclude These Files :
/XF :: eXclude Files matching these names
:: :: eXclude no names (currently - Command Line may override)
:: Copy options :
/S :: copy Subdirectories, but not empty ones.
/COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).
/MOVE :: MOVE files AND dirs (delete from source after copying).
/ZB :: use restartable mode; if access denied use Backup mode.
:: Retry Options :
/R:5 :: number of Retries on failed copies: default 1 million.
/W:1 :: Wait time between retries: default is 30 seconds.
:: Logging Options :
/ETA :: show Estimated Time of Arrival of copied files.
/LOG:c:\Infected_Copies\Robocopy_Log.txt :: output status to LOG file (overwrite existing log).
/TEE :: output to console window, as well as the log file.
xcopy c:\*.crypted c:\infected_files\ /a /w /c /h /k /o /x
P. S. I did work out that || ren *.crypted *. || will remove the extensions. Will this accept /s ?
Last edited by corhsin (08 Jun 2017 07:51)
Offline
Can anyone tell me if substituting the copy command with the robocopy string is all that is needed?
Offline