RansomwareRestore – A module to identify and restore files which have been encrypted by ransomware.

The RansomwareRestore module was created after my work had repeated malware infections, which took client’s files offline for days at a time. This module was developed to accelerate the identification, restoration, and cleanup of encrypted files in our environment. Currently this module targets netapp snapshots currently, but more backup/restore method could be added over time. The future versions of this module will be built to allow for this change and flexability.

To use this module, the following two modules are required in order to work properly.
1. NTFSSecurity (http://ntfssecurity.codeplex.com/)
2. DataOnTap module for netapp (you need to be a netapp customer to download)

RansomwareRestore Powershell Module.

Module list:
+ Get-EncryptedFiles: Generates a list of encrypted files on the file system.
+ Get-RansomwareFamily: Determines the type of RansomWare depending on the input of two files.
+ Remove-EncryptedFiles: Removes a list of encrypted files from the file share.
+ Restore-EncryptedFiles: This function works with other commands to restore files on the netapp file system from snapshots. The command lists all of the available snapshots and then works on restoring the files.
+ Get-CleanupFiles: Gets a list of files left over by the ransomware that are not encrypted.

Parameters Example:

get-EncryptedFiles -RansomWareFamily (get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc") -searchPath "C:\folder"

get-RansomWareFamily -firstFilePath "c:\testtxt.txt" -secondFilePath "c:\testdoc.doc" | get-EncryptedFiles -searchPath "c:\folder"

Restore-EncryptedFiles -restoreList $list -netappFileServer svm_XXXXXXfs01 -netappController netapp01 -netAppCredential $credential -restoreBase /svm_XXXXXXfs01_data -incidentNumber INCTEST12 -restoreDate 3/27/2016 -fileSystemBase \\XXXXXXfs01\c$\svm_XXXXXXfs01_data -Overwrite -ransomwareFamily $encryptedFamily

Restore-EncryptedFiles -restoreList $list -netappFileServer svm_XXXXXXfs01 -netappController netapp01 -netAppCredential $credential -restoreBase /svm_XXXXXXfs01_data -incidentNumber INCTEST12 -restoreDate 3/27/2016 -fileSystemBase \\XXXXXXfs01\c$\svm_XXXXXXfs01_data -Overwrite -ransomwareFamily (get-RansomwareFamily -firstfile path c:\admin\test.txt -secondfilepath c:\admin\test2.txt)

Get-CleanupFiles -filter "HelpDecrypt_" -searchPath "c:\"

Download: RansomwareRestore.zip
Source: https://github.com/armentpau