CryptoLock(Variant) repair script

calendar Jun 14, 2016 · 2 min read · CRYPTOLOCK  ·
Share on: linkedin copy

Use this script to search for files that have .encrypted appended to their name and replace them with a version from shadow copy.

This powershell script will create the symlink given the ShadowCopy name you provide, it will then search the folder specified and replace all effected files removing the encrypted versions.

This script is modified version from here

 1Function New-SymLink ($link, $target)
 2{
 3#if (test-path -pathtype container $target)
 4#{
 5$command = "cmd /c mklink /d"
 6#}
 7#else
 8#{
 9#    $command = "cmd /c mklink"
10#}
11
12invoke-expression "$command $link $target"
13}
14Function Remove-SymLink ($link)
15{
16if (test-path -pathtype container $link)
17{
18$command = "cmd /c rmdir"
19}
20else
21{
22$command = "cmd /c del"
23}
24
25invoke-expression "$command $link"
26}
27
28# Before running this script:
29# Use: vssadmin list shadows to find the latest unencrypted shadow copy - see the date & time they were created
30# Record the Shadow Copy Volume, and use this to create a symbolic link:
31# Create a folder to hold the symbolic link: md C:\\VSS
32# Then use: cmd /c mklink /d C:\\VSS\\67 \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1555\\
33# You need to add a trailing backslash to the Shadow Copy Volume name produced by vssadmin.
34# Once done, remove the symbolic link by using: cmd /c rd C:\\VSS\\67
35
36# This is the path on the file server that got encrypted:
37$EncryptedPath = "E:\\File Shares\\"
38# This is the path to your shadow copy symbolic link:
39$VSSPath = "c:\\vsstemp\\"
40# File extension that the encrypted files have:
41$Extension = ".encrypted"
42# File name (minus extension) used for the "How to get your stuff unencrypted" files:
43$RecoverFileFilter = "HOW_TO_RESTORE_FILES"
44
45#Be sure to inlcude the trailing \\
46$VSSName="\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy250\\"
47#The folder to be used temporarily to mount the VSS snapshot
48
49Remove-SymLink( $VSSPath )
50New-SymLink($VSSPath,$VSSName)
51
52$FileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$Extension -Recurse -Force
53$TotalFiles = $FileList.Count
54Write-Host ("Found "+$TotalFiles)
55$Counter = 0
56foreach($EncryptedFile in $FileList){
57$DestFileName = $EncryptedFile.FullName.Replace($Extension,"")
58#$VSSFileName = $DestFileName.Replace("F:\\",$VSSPath)
59#Strip the first 3 characters from the full path and replace it with the temporary VSS path
60$StrippedName=$DestFileName.Substring(3,$DestFileName.Length-3)
61$VSSFileName = "$VSSPath$StrippedName"
62
63
64try{
65# Use LiteralPath to prevent problems with paths containing special characters, e.g. square brackets
66Copy-Item -LiteralPath $VSSFileName -Destination $DestFileName -ErrorAction Stop
67Remove-Item -LiteralPath $EncryptedFile.FullName -Force
68}
69catch{
70$Error[0]
71}
72Write-Progress -Activity "Fixing" -Status $DestFileName -PercentComplete ($Counter/$TotalFiles*100)
73$Counter++
74}
75Write-Progress -Activity "Fixing" -Completed
76Write-Host "Done recoverying files. Now cleaning up."
77
78$RecoveryFileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$RecoverFileFilter* -Recurse
79foreach($RecoveryFile in $RecoveryFileList){
80try{
81Remove-Item -LiteralPath $RecoveryFile.FullName -force -ErrorAction Stop
82}
83catch{
84$Error[0]
85}
86}