Tuesday, January 21, 2014

Quick EnCase v6 & v7 EnScript to find files that have been encrypted by Cryptolocker

Many companies and individuals are struggling with the cryptolocker malware that has been making its rounds the past few months. Some have opted to pay, some have taken the loss and reverted to backups (remember those?) , while others have tried to do some data recovery.

I wanted a way to quickly identify the files that have been encrypted by the malware. Finding files on a single host is not such a big deal, but when you have files that are scattered throughout a network share and a host that has access to that share has been infected, things can get very ugly very quick.

One of the first things any enterprise would need to do is identify the files that have been affected. Luckily enough, the authors of the malware provide a mechanism to see a list of files that were encrypted by clicking the "here" link on the ransom message:

The only downside to this approach is that when you suddenly find files on a network share that won't open and appear corrupted (because they wont open and look like random garbage inside) and employees do not realize that someone's host was infected and reached out and encrypted a bunch of files on the network share(s). Now comes the task of identifying all those files so you can quickly get them back from a previous backup (yeah, right).

Files that are encrypted with Cryptolocker are encrypted with AES256 and then the key used to encrypt that file is wrapped in a RSA public key. When a file is encrypted, the RSA blob (that has the encrypted AES key) and a hash of the blob are appended to the beginning of the file.

Therefore, this EnScript quickly looks at every file (regardless of extension) and checks for this unique 'header'. If found, it will bookmark those files for easy identification.

Download here EnCase EnScript v6 & v7 


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles