voxeI/Bryce's_Cryptowall_Scanner.ps1

## Bryce's_Cryptowall_Scanner.ps1
# I DID NOT CREATE THIS SCRIPT, /u/shaloham did on reddit.com/r/sysadmin
#SOURCE: https://www.dropbox.com/s/ucjoc9x7i768cji/Bryce's%20Cryptowall%20Scanner.ps1?dl=0
#REDDIT: https://www.reddit.com/r/sysadmin/comments/42t8f9/simple_shitty_cryptowall_scanner_script/

# Email notification settings
$smtpserver = "something" #replace
$smtpport = 25

# Main loop
while (1 -eq 1)
{
    # Get username
    $u = (Get-WMIObject -class Win32_ComputerSystem | select username) | Out-String
    $u = $u.split("\")
    $u = $u[1]
    $u = $u.trim()
    $path = "C:\Users\" + $u

    # work on debug file
    #  First test if we can write to it
    if (-Not (Test-Path c:\temp\cryptodebug.txt) -or (Get-Item 'c:\temp\cryptodebug.txt').length -lt 5kb) {
        $path + " | " + (Get-Date) >> C:\temp\cryptodebug.txt
    }
    else {
        Remove-Item C:\temp\cryptodebug.txt -force
    }

    # Look for files matching the usual ransom note names
    $results = Get-ChildItem $path -include "*HELP_DECRYPT*","*RESTORE_FILES*","*DECRYPT_INSTRUCTION*","*DecryptAllFiles*","*how_decrypt*","*help_to_save_files*","*help_restore_files*","*INSTRUCTIONS_*","*_YOUR_FILES*" -recurse
    $measured = $results | measure
    $count = [int]::Parse($measured.Count)
    if ($count -gt 0) # if one or more ransom notes found...
    {
        # Email support@, flagged to also reach on call tech
        $emailMessage = New-Object System.Net.Mail.MailMessage
        $emailMessage.From = " <support@yourcompany.com>" #replace
        $emailMessage.To.Add( "support@yourcompany.com" ) #replace
        $emailMessage.Subject = "URGENT! Cryptowall detected on " + $env:COMPUTERNAME
        $emailMessage.IsBodyHtml = $true
        $emailMessage.Body = "<p>File found is " + $results.name[0] + " in dir " + $results.directory[0] + ". Here's how to unbreak:</p>
                                <p>Run Malwarebytes. Talk to user, find out where it came from. When threat is removed, proceed to cleanup:</p>
                                <p>   - Disable read only attribute on c:\users\[user] and all subfolders/files </p>
                                <p>   - Restore files from backup or shadow copy (if available, you're backing up right?)</p>
                                <p>   - Check mapped locations (e.g. shares on server, dropbox) for encrypted files and ransom notes</p>
                                <p>   - Re-enable Workstation service, remap drives, reboot</p>
                                <p>   - Find and delete all ransom note instances</p>
                                <p>...Just rebuild the machine, shit's fucked</p>"

        # Print debug info to log
        "Cryptowall detected on " + $env:COMPUTERNAME >> C:\temp\cryptodebug.txt
        "Cryptowall detected"

        # Auth
        $SMTPClient = New-Object System.Net.Mail.SmtpClient( $SmtpServer , $SmtpServerPort )
        $SMTPClient.EnableSsl = $false
        $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( "support@yourcompany.com" , "whateverYourEmailPasswordIsThisIsntSecureAtAllLol" ); #replace

        # Send email
        $SMTPClient.Send( $emailMessage )

        # Stop it from doing any more damage
        #
        # -----Find dropbox, if exists:
        $dropboxPath = get-item -path ($path + "\Dropbox*")
        # -----Disconnect mapped drives
        net use /delete /y *
        # -----Disable workstation service (service handles SMB shares)
        Stop-Service -Name lanmanworkstation -Force
        Set-Service lanmanworkstation -startupType Disabled

        # -----Set documents/desktop/downloads/music/pics/videos to read only to prevent further encryption
            Get-ChildItem -path ($path + "\Documents") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($path + "\Desktop") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($path + "\Pictures") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($path + "\Music") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($path + "\Videos") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($path + "\Downloads") -Recurse | % { $_.IsReadOnly=$true }
            Get-ChildItem -path ($dropboxPath) -Recurse | % { $_.IsReadOnly=$true }
        return # Exit the loop
    }
    # Wait () seconds before checking again
    sleep(120)
}
	# I DID NOT CREATE THIS SCRIPT, /u/shaloham did on reddit.com/r/sysadmin
	#SOURCE: https://www.dropbox.com/s/ucjoc9x7i768cji/Bryce's%20Cryptowall%20Scanner.ps1?dl=0
	#REDDIT: https://www.reddit.com/r/sysadmin/comments/42t8f9/simple_shitty_cryptowall_scanner_script/

	# Email notification settings
	$smtpserver = "something" #replace
	$smtpport = 25

	# Main loop
	while (1 -eq 1)
	{
	# Get username
	$u = (Get-WMIObject -class Win32_ComputerSystem \| select username) \| Out-String
	$u = $u.split("\")
	$u = $u[1]
	$u = $u.trim()
	$path = "C:\Users\" + $u

	# work on debug file
	# First test if we can write to it
	if (-Not (Test-Path c:\temp\cryptodebug.txt) -or (Get-Item 'c:\temp\cryptodebug.txt').length -lt 5kb) {
	$path + " \| " + (Get-Date) >> C:\temp\cryptodebug.txt
	}
	else {
	Remove-Item C:\temp\cryptodebug.txt -force
	}

	# Look for files matching the usual ransom note names
	$results = Get-ChildItem $path -include "HELP_DECRYPT","RESTORE_FILES","DECRYPT_INSTRUCTION","DecryptAllFiles","how_decrypt","help_to_save_files","help_restore_files","INSTRUCTIONS_","_YOUR_FILES" -recurse
	$measured = $results \| measure
	$count = [int]::Parse($measured.Count)
	if ($count -gt 0) # if one or more ransom notes found...
	{
	# Email support@, flagged to also reach on call tech
	$emailMessage = New-Object System.Net.Mail.MailMessage
	$emailMessage.From = " <support@yourcompany.com>" #replace
	$emailMessage.To.Add( "support@yourcompany.com" ) #replace
	$emailMessage.Subject = "URGENT! Cryptowall detected on " + $env:COMPUTERNAME
	$emailMessage.IsBodyHtml = $true
	$emailMessage.Body = "<p>File found is " + $results.name[0] + " in dir " + $results.directory[0] + ". Here's how to unbreak:</p>
	<p>Run Malwarebytes. Talk to user, find out where it came from. When threat is removed, proceed to cleanup:</p>
	<p> - Disable read only attribute on c:\users\[user] and all subfolders/files </p>
	<p> - Restore files from backup or shadow copy (if available, you're backing up right?)</p>
	<p> - Check mapped locations (e.g. shares on server, dropbox) for encrypted files and ransom notes</p>
	<p> - Re-enable Workstation service, remap drives, reboot</p>
	<p> - Find and delete all ransom note instances</p>
	<p>...Just rebuild the machine, shit's fucked</p>"

	# Print debug info to log
	"Cryptowall detected on " + $env:COMPUTERNAME >> C:\temp\cryptodebug.txt
	"Cryptowall detected"

	# Auth
	$SMTPClient = New-Object System.Net.Mail.SmtpClient( $SmtpServer , $SmtpServerPort )
	$SMTPClient.EnableSsl = $false
	$SMTPClient.Credentials = New-Object System.Net.NetworkCredential( "support@yourcompany.com" , "whateverYourEmailPasswordIsThisIsntSecureAtAllLol" ); #replace

	# Send email
	$SMTPClient.Send( $emailMessage )

	# Stop it from doing any more damage
	#
	# -----Find dropbox, if exists:
	$dropboxPath = get-item -path ($path + "\Dropbox*")
	# -----Disconnect mapped drives
	net use /delete /y *
	# -----Disable workstation service (service handles SMB shares)
	Stop-Service -Name lanmanworkstation -Force
	Set-Service lanmanworkstation -startupType Disabled

	# -----Set documents/desktop/downloads/music/pics/videos to read only to prevent further encryption
	Get-ChildItem -path ($path + "\Documents") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($path + "\Desktop") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($path + "\Pictures") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($path + "\Music") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($path + "\Videos") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($path + "\Downloads") -Recurse \| % { $_.IsReadOnly=$true }
	Get-ChildItem -path ($dropboxPath) -Recurse \| % { $_.IsReadOnly=$true }
	return # Exit the loop
	}
	# Wait () seconds before checking again
	sleep(120)
	}