darkpixel · April 26, 2016 17:29
diff --git a/gistfile1.sh b/gistfile1.sh
 # If you have a box running ZFS serving your Windows file shares, and someone gets hit with CryptoLocker, here's an easy way to restore individually encrypted files.

 # Assuming your infected dataset is named 'tank/officeshare'
 # Find a snapshot of your data before cryptolocker infected it and clone it (something like zfs clone tank/officeshare@good tank/officesharegood
 # Find a snapshot of your data after cryptolocker infected everything, but *after* the infected machines were removed from the network and clone it (something like zfs clone tank/officeshare@bad tank/officesharebad)

 #Go into the tank/officesharebad directory and run the following command to scan through the bad clone for the 'DECRYPT_INSTRUCTION.TXT' file left behind by cryptolocker, gather 'bad' directories, then grab all the files from them to restore to the current 'officeshare'.

 #This command works on FreeNAS or BSD-ish boxes
 find . -type f -name 'DECRYPT_INSTRUCTION.TXT' | sed 's/\/DECRYPT_INSTRUCTION.TXT//' | sed 's/^\.\///' | grep -v '^.recycle' | tr -s '\n' '\000' | xargs -L 1 -J{} -0 find "{}" -type f -depth 1 ! -name "DECRYPT_INSTRUCTION*" -exec cp -v "/mnt/tank/officesharegood/{}" "/mnt/tank/officeshare/{}" \;

 #Most of our NAS boxen are now running some variant of Linux, and the most recent variant uses the file name 'how to get data.txt'.
 find . -type f -name 'how to get data.txt' | sed 's/\/how to get data.txt//' | sed 's/^\.\///' | grep -v '^.recycle' | tr -s '\n' '\000' | xargs -L 1 -I@@ -0 find "@@" -maxdepth 1 -type f ! -name "how to get data.txt" -exec cp -v "/tank/wp51-restore/SCDIR/{}" "/tank/wp51/SCDIR/{}" \;


 #Once done, you may want to go to the current officeshare and run something like: 

 find . -type f -name 'DECRYPT_INSTRUCT*' -exec rm {} \;

 #That will remove all the stupid 'DECRYPT_INSTRUCTION*' files left lying around.

 #Also using the find and file commands to locate unidentified files may help:

 find . -type f -print0 | xargs -0 -L 1 -I{} sh -c 'file "{}" >> /mnt/tank/mimedetect'

 #Now search through the mimedetect file and weed out commonly identified file types
 #Adjust to your preferences
 grep -v \./\.recycle mimedetect | grep -v "No such file" | egrep -v "(MS |Microsoft |)(Windows |)(Outlook|Excel|Access|Word|PowerPoint|Document|ASF|Cabinet|OOXML|Media (Video|Audio)|shortcut|icon|Autorun|3.x|COFF)" | egrep -v "Adobe (Photoshop|InDesign)" | egrep -v "Apple(Single|Double)" | egrep -v "(Composite|PDF|HTML|PostScript|XML|XML ) (document|Document)" | egrep -v "(JPEG|TIFF|raw|PNG|GIF) image data" | egrep -v "WAVE audio|Audio file|ISO Media|MPEG|Motion JPEG|CD-ROM filesystem" | egrep -v "(ASCII|ISO-8859|Unicode|\(with BOM\)) text" | egrep -v "(DOS|PE32|COM|VMS Alpha|PE32\+|i386) executable" | egrep -v "OpenOffice.org" | egrep -v "(Zip|MS|7-zip|gzip|BOA) (archive|compress|Compress)" | egrep -v "DOS EPS Binary|PDP-11|Rich Text Format|MDMP crash report|AutoDesk|TrueType font|Claris clip art|vCard|G3 data|bitmap font|FORTRAN program|G3 data|MSVC program database|8086 relocatable|SysEx|Applesoft BASIC|DBase|MSVC|Sendmail|GeoSwath|SYMMETRY|GLS_BINARY|image data" | egrep -v ": (data|empty)"
	# If you have a box running ZFS serving your Windows file shares, and someone gets hit with CryptoLocker, here's an easy way to restore individually encrypted files.

	# Assuming your infected dataset is named 'tank/officeshare'
	# Find a snapshot of your data before cryptolocker infected it and clone it (something like zfs clone tank/officeshare@good tank/officesharegood
	# Find a snapshot of your data after cryptolocker infected everything, but after the infected machines were removed from the network and clone it (something like zfs clone tank/officeshare@bad tank/officesharebad)

	#Go into the tank/officesharebad directory and run the following command to scan through the bad clone for the 'DECRYPT_INSTRUCTION.TXT' file left behind by cryptolocker, gather 'bad' directories, then grab all the files from them to restore to the current 'officeshare'.

	#This command works on FreeNAS or BSD-ish boxes
	find . -type f -name 'DECRYPT_INSTRUCTION.TXT' \| sed 's/\/DECRYPT_INSTRUCTION.TXT//' \| sed 's/^\.\///' \| grep -v '^.recycle' \| tr -s '\n' '\000' \| xargs -L 1 -J{} -0 find "{}" -type f -depth 1 ! -name "DECRYPT_INSTRUCTION*" -exec cp -v "/mnt/tank/officesharegood/{}" "/mnt/tank/officeshare/{}" \;

	#Most of our NAS boxen are now running some variant of Linux, and the most recent variant uses the file name 'how to get data.txt'.
	find . -type f -name 'how to get data.txt' \| sed 's/\/how to get data.txt//' \| sed 's/^\.\///' \| grep -v '^.recycle' \| tr -s '\n' '\000' \| xargs -L 1 -I@@ -0 find "@@" -maxdepth 1 -type f ! -name "how to get data.txt" -exec cp -v "/tank/wp51-restore/SCDIR/{}" "/tank/wp51/SCDIR/{}" \;


	#Once done, you may want to go to the current officeshare and run something like:

	find . -type f -name 'DECRYPT_INSTRUCT*' -exec rm {} \;

	#That will remove all the stupid 'DECRYPT_INSTRUCTION*' files left lying around.

	#Also using the find and file commands to locate unidentified files may help:

	find . -type f -print0 \| xargs -0 -L 1 -I{} sh -c 'file "{}" >> /mnt/tank/mimedetect'

	#Now search through the mimedetect file and weed out commonly identified file types
	#Adjust to your preferences
	grep -v \./\.recycle mimedetect \| grep -v "No such file" \| egrep -v "(MS \|Microsoft \|)(Windows \|)(Outlook\|Excel\|Access\|Word\|PowerPoint\|Document\|ASF\|Cabinet\|OOXML\|Media (Video\|Audio)\|shortcut\|icon\|Autorun\|3.x\|COFF)" \| egrep -v "Adobe (Photoshop\|InDesign)" \| egrep -v "Apple(Single\|Double)" \| egrep -v "(Composite\|PDF\|HTML\|PostScript\|XML\|XML ) (document\|Document)" \| egrep -v "(JPEG\|TIFF\|raw\|PNG\|GIF) image data" \| egrep -v "WAVE audio\|Audio file\|ISO Media\|MPEG\|Motion JPEG\|CD-ROM filesystem" \| egrep -v "(ASCII\|ISO-8859\|Unicode\|\(with BOM\)) text" \| egrep -v "(DOS\|PE32\|COM\|VMS Alpha\|PE32\+\|i386) executable" \| egrep -v "OpenOffice.org" \| egrep -v "(Zip\|MS\|7-zip\|gzip\|BOA) (archive\|compress\|Compress)" \| egrep -v "DOS EPS Binary\|PDP-11\|Rich Text Format\|MDMP crash report\|AutoDesk\|TrueType font\|Claris clip art\|vCard\|G3 data\|bitmap font\|FORTRAN program\|G3 data\|MSVC program database\|8086 relocatable\|SysEx\|Applesoft BASIC\|DBase\|MSVC\|Sendmail\|GeoSwath\|SYMMETRY\|GLS_BINARY\|image data" \| egrep -v ": (data\|empty)"