Created
November 5, 2019 12:29
-
-
Save thomaspatzke/74c920fc5009f678cca5e2c7259308a4 to your computer and use it in GitHub Desktop.
Ransomware Killer
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ransomware Killer v0.1 by Thomas Patzke <[email protected]> | |
| # Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
| # IMPORTANT: This must run with Administrator privileges! | |
| Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
| # Kill all parent processes from detected vssadmin process | |
| $p = $EventArgs.NewEvent.TargetInstance | |
| while ($p) { | |
| $ppid = $p.ParentProcessID | |
| $pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
| Write-Host $p.ProcessID | |
| Stop-Process -Id $p.ProcessID | |
| $p = $pp | |
| } | |
| # Kill all processes that have ":bin" in their name (BitPaymer) | |
| Get-WmiObject -Class Win32_Process -Filter "CommandLine like '%:bin%'" | ForEach-Object { | |
| Write-Host $_.ProcessID | |
| Stop-Process -Id $_.ProcessID | |
| } | |
| [System.Windows.Forms.MessageBox]::Show("Your system was likely infected with a Ransomware. I've killed it for you, but further remediation actions are required","RansomwareKiller",0) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment