gsuberland

A company I did some work for got hit by the new version of CryptoWall recently, via someone's PA opening a dodgy Word document. The malware encrypted a bunch of her files (renamed them to blah.doc.ecc) and then went to work on their entire SAN, which was accessible from the victim laptop. AV caught it 8 hours later (new sig in the latest definitions), by which time it'd encrypted a few hundred thousand documents.

You'd think this sounds dire, but one of their sysadmin guys shrugged it off like it was nothing. CryptoWall keeps a log of all the file names it has encrypted, so he wrote a powershell script to go through and revert all the files to their previous shadow copies and they were back up and running after an hour. No ransom paid, all files restored.

They now have heuristics on the SAN to catch these operations in real-time.

To be fair this was a huge company with a dedicated security team and a respectable budget.

I'm actually glad you didn't pick that option. I have enough trouble getting people to properly filter paths to avoid traversal bugs, let alone trying to get them to properly distinguish between TLDs, domains, subdomains, paths, and file paths when they all have the same separator character.

This was 3.0 (the latest) and it didn't delete the shadows. That being said, it might've been because the infected user didn't have access to shadow copies via the mapped volume.

Not my script, nor my IT guy. Was a client.

That being said, it's just a case of doing File.ReadAllLines to load the paths into an array, regexing/splitting out whatever gunk is in there per line, then looping through and invoking volrest (or similar) for each file.