How to Documents

765137662.docx

Crypto Ransomware Process

Create Date 31/12/2015 Created By David Rouse

Last Update Date 13/10/2016 Last Updated By David Rouse

Impacted Services Files share, File server, Application servers.

Applies to This document applies to all Wintel OS versions.

Version Control

Ver Updated Section Changed Comment

No. by

0.1 DR All Created Document

1.0 DR Minor Change to All after feedback Document Release

1.1 DR Appendix B Section Added

Appendix C Section Added

1.2 SB Analysis Stage – Incident Manager Section Added

1.3 DR Appendix C Modification to the order of the section to make it more

timeline based

1.4 DR Introduction Added new delivery method – Word Macros

Initial Investigation Phase – IMC Engineer Modified Note: after step 6 to reflect new clean-up process.
Appendix A Added script to clean up XenApp and RDS servers.

1.5 DR Introduction Added more comprehensive list of Extensions

Initial Investigation Phase – IMC Engineer Modified Note: after step 6. a. II to add a new behaviour
noticed.
Clean Up Phase – IMC Engineer
Modified Step 3. to show new process to remove non
Formatting
renamed files
Added this table and change the format so that each Main
section was on a new page

1.6 DR Appendix B Added an example script used to move infected directories

after a Crypto that did not rename the files.

1.7 DR Help File Script clean-up – XenApp and RDS Added a Not to this section of Appendix to explain the
servers switches used and order of Script
Body of Document Modified all sections contained in the Body of the document
to reflect changes that have been seen in the behaviour of the
New Crypto Style outbreak and to be more specific with the
process steps.

1.8 DR Clean Up Phase – IMC Engineer Modified introduction to point mention Shadows copies
solution.

Date: 13th October 2016 Version No.: 1.8

Page 1
 How to Documents
765137662.docx

Date: 13th October 2016 Version No.: 1.8

Page 2
 How to Documents
765137662.docx

Introduction
Due to the large Number of Crypto Locker/Wall style outbreak’s among our clients this document was
written to show all HIT support teams the process to follow when a customer has had their files encrypted
by a Ransomware style outbreak.
There are three main method that Crypto Locker/Wall can enter an organisation
 The first and most prevalent is via an e-mail.
o These e-mails are usually from a Parcel delivery service stating that they have tried to
deliver a parcel to the recipient but they were not able to contact them.
o These e-mail will always contain a link that take the user to an external website where they
are instructed to download a file that will give them Instructions on when and where they
can collect the parcel.
o This file then installs the Ransomware on the users machine or in there Citrix session and
starts encrypting files that the users has access to on the local and network attached drives
 The Seconds version is from hijacking website that the users may visit
o These website may come up in a search or the URL manually typed
o When the website is visits a script run in the background to install the Ransomware on the
device or in the session
 The Third and latest version comes in the form of a word document that contains macros, after
allowing the macro to run in the document the file become infected
Depending on the variant that has affect the clients will depend on the types of file that have been effected
though as a rule all user file types are normally encrypted, these include but are not limited to files with the
following extensions:-

*.odt *.ods *.odp *.odm *.odc *.odb *.doc *.docx

*.docm *.wps *.xls *.xlsx *.xlsm *.xlsb *.xlk *.ppt
*.pptx *.pptm *.mdb *.accdb *.pst *.dwg *.dxf *.dxg
*.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.pdf
*.eps *.ai *.indd *.cdr *.jpg *.jpe *.jpg *.dng
*.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr
*.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf
*.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f
*.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c

NOTE: Not all variant will encrypt all these types of file some have been know not to encrypt Image, Text,
XML, HTM/L type file other have been known to encrypt these type of file even though they will create
them in the process.

In most case the Ransomware will not encrypt System file as these are required for the Computer to boot, It
has also been seen that different variant will place entries on the affected Computer that will inform the user
of the encrypted files and how they can pay to get them unencrypted, if this occurs on a Citrix or terminal
server this will need to be cleaned up manually. Investigating the “RUN” section of the computer registry will
assist let you know what is being run and where the files being run are located. It can also write a registry
key to re-run the Ransomware applications over the PC and Network again, but in most cases just add a key
that point to an EXE file in the Documents directory that reminds the users upon log on to pay the ransom.

Date: 13th October 2016 Version No.: 1.8

Page 3
 How to Documents
765137662.docx

Information Gathering Phase – Service Desk

Even though we need to get on these outbreaks quickly to reduce the impact to the customer there are a
number of things that will need to be collected by the Services Desk that has received the report of
Encrypted files, these are Critical to the effectiveness of the response from the IMC in dealing with the
outbreak.
1. A P1 Incident is to be raised with the following information.
a. The user that has reported the issue.
b. The initial directory that has been reported with the encrypted files.
c. A Screenshot of the directory is to be attached to the Incident.
i. This is critical as it will contain the name of the files required for the next steps
d. List of the known Server/s that have been affected
2. If at all Possible the name of the user/s that have caused the outbreak, once this is know the following will
need to be performed
3. The simplest way to do this is to find who is the owner/creator of the “Help Instruction Files”, this is found on
the Details Tab of the File properties and will display as below.

a. Disable users AD Account to prevent further access to files

i. A secondary account can be created for the user to allow them to keep working. However
their Personal Drive contents and email will need to be checked before access is granted
again to prevent further infection.
b. User will need to be asked to log off the network completely
c. If they were on a Notebook or PC that device will need to be Turned off and removed from the
network, so that it can be determined if the PC is affected
i. If the PC is affected it will need to be rebuilt before it is returned to the network.
d. If they were on a Citrix or Terminal server session the server that the user is on will need to be taken
note of and there session logged off.
e. Contact the user to inform them of what has happened and the course taken. The user is to be asked
not to log on for the rest of the day or until further notice.

Date: 13th October 2016 Version No.: 1.8

Page 4
 How to Documents
765137662.docx

Initial Investigation Phase – IMC Engineer

These initial steps will assist in determine the extent of the Outbreak as well as allow the IMC to be prepared
to complete the clean-up and restoration of the client environment in a quick and efficient way.
1. Engage an Incident manger to assist in the Communications to both HIT Management and the Customer
representatives using the HIT P1 incident process.
a. If it is determined that the reported occurrence is a left over from a previous outbreak then the ticket
priority can be lowered and the clean-up completed.
2. Incident Manager to contact SDM or failing that, primary business contact to inform of outbreak and confirm
cost to remove the infection.
3. Need to arrange for a TEMP disk to be added to a server in the Customer environment (minimum 1 TB)
a. The server selected for this should be a server that should be one that is not be impacted by the
running of several RoboCopy script, these script can be CPU intensive.
b. IMC Management may need to be engaged to talk to Cloud management to speed up this process.
4. If the service Desk has not been able to determine the user that caused the outbreak then this will need to be
done.
a. Simplest way to do this is to see who is the Owner of the Help Instruction Files, this is found on the
Details Tab of the File properties

b. Inform the Service desk and get them to perform the tasks as listed above
c. Inform the Service Delivery manager of the Outbreak
5. Write and run the initial RoboCopy Script to move the Help Instructions to a location that can be used to
determine the extent of the Outbreak, this folder will also be valuable in determining what need to be
restored, all script are to be stored in the folder C:\harbourit\scripts
a. The drive that these file can be moved to can be the C Drive of the server that is having the new Disk
attached, if this drive has not been affected
b. The Drive should contain a minimum of 15 GB free Space.
c. If there are existing script in the location review and edit as needed
d. For an example of the instruction clean-up script please see the Appendix section of this document.
e. All script should be run if Possible from a console session and in an Administrator version of
Command Prompt or PowerShell
6. The base variant of the outbreak will need to be determined so that the correct clean-up process can be
followed.
a. There are Three main behaviour that have been observed when an outbreak has affected a client
i. One variant type will usually rename the file with and extension that can be easily
determined and there for they can be moved to allow restore without overwriting, These are
mostly different Crypto Locker Style Variant’s
ii. One Variant type will not rename the file, this seems to have become the main type of
outbreak.
iii. One Variant type renames the file but does not use a use the same extension for each of the
file this makes clean up much harder. This is mostly the CryptoWall 4.0 Variant
NOTE: For both the later 2 variants after completion of the help file scan a script will need to be written to
move the entire share location affected to the temp drive location. This is so that any files that have
been updated and not encrypted are in a location that can be recovered from if needed.

7. If running the Scripts over the C Drive of the server the C:\User or C:\Documents and Setting folder will need to
be excluded. See the Appendix A for the exclusion switches
NOTE: In most cases you will not need to run the script over the C Drive of a server unless the users actually
logged directly on the servers

8. To differentiate between the Help and Encrypted file all Help files should be placed in a folder call
“Instructions_yyyymmdd”

Date: 13th October 2016 Version No.: 1.8

Page 5
 How to Documents
765137662.docx
Note: Where ‘yyyy‘ = year, ‘mm’ = month, ‘dd’ = day

Date: 13th October 2016 Version No.: 1.8

Page 6
 How to Documents
765137662.docx

Clean Up Phase – IMC Engineer

If the users who initialled the outbreak was on an RDS or XenApp server the clean-up of their profile registry
may be commenced once the field clean up script have commenced
File and Application Servers
1. If the variant renames to Files with the same extension that is not randomly generated for each file then script
can be written to move the file to the Location that the TEMP drive has been attached.
a. Ensure that the Temp Drive has been added to the correct server
b. Ensure that the Temp Drive has been Configure correctly on the server
c. As RoboCopy can be very CPU intensive only a maximum of four (4) script are to be run at the same
time.
d. For an example of the clean-up script please see the Appendix section of this document.
e. All script should be run if Possible from a console session and in an Administrator version of
Command Prompt or PowerShell
2. If the variant does not rename the file or renames the files with a randomly generated name and extension a
targeted clean up script will need to be written to relocate the entire affected share to the TEMP disk and then
perform a full restore.
a. If a user calls about a files that they belief have not been affected then these file can be moved
individually
b. To write a script to clean-up this variant would be rather complicated due to the number of possible
file extensions that would need to be excluded from the Move.
3. If running the Scripts over the C Drive of the server the C:\Users or C:\Documents and Setting folder will need
to be excluded, along with the C:\ProgramData folder.
a. For switch to use for this see the Appendix A
4. To differentiate between the Help and Encrypted file all Affected files should be placed in a folder call
“Encrypted_yyyymmdd”
Note: Where ‘yyyy‘ = year, ‘mm’ = month, ‘dd’ = day”

NOTE: In most cases you will not need to run the script over the C Drive of a server unless the users actually
logged directly on the servers

Citrix and Terminal Server

There have been occasions that users have found help files on the XenApp server below has been added to
clean-up the help files on these servers.
The specific location that the Help Files are placed are the C:\User\Public and C:\Users\All Users folders. A
new script has been created and uploaded to Compass that is to be edited and run in and Administrator
Command window, it has also been added to the Appendix section of this document. In most occurrences
you will only need to clean up the Help Files though there are possible encrypted files in the “Sample
Pictures” and “Sample Video” folder under the C:\Users\Public

NOTE: There may be some folders under C:\Users\All Users that the script is not able to clean-up, to resolve
this issue you will need to browse to the Directory location and set the Server Administrators as the
owner of the files, if the script is still not able to move the file then they will need to be manually moved
or deleted.

Date: 13th October 2016 Version No.: 1.8

Page 7
 How to Documents
765137662.docx

Analysis Stage – Incident Manager

This stage involves the incident manager to collect a range of different information on the ransomware
incident to determine what recommendations we can do to stop this. All this information will be collated in
an excel file located under the IMC Specific Documents in Compass called “Customer Ransomware Capture”.
This will give everyone the visibility on the following:
- Customer Name
- Date of Incident
- Ticket number
- Incident Manager
- Engineer Owner
- Type of Ransomware
- Who: Which was the user that caused the outbreak
- What was the source of the outbreak? Emails, Web etc.
- Did this happen via a remote session such as Citrix, Local desktop.
- What AV system is used and was it installed when the outbreak happened
- Does the company have Web filtering protection
- Does the company have Email filtering Protection

Based on the information you will need to determine the risks here and advise the SDM the outcomes of
your findings to update the customer.

Date: 13th October 2016 Version No.: 1.8

Page 8
 How to Documents
765137662.docx

System Restoration Phase – IMC Engineer

If there are only a few files and the customer has Shadow Copies/Previous versions configured on the
affected server then this can be used to restore the files, else a restore from backup is the best way that the
data can be restored for the client, there are three (3) things that I would like to note here: -
 Any file that have been modified between the time that the backup was last successful and the time the files
where affected and not locked will not be able to be recovered.
 Any new file created or saved to the location between the time that the backup was last successful and the
time the files where affected and not locked will not be able to be recovered.
 Any file that is currently open or being modified at the time of the outbreak ad remains in that state for the
entire time of the outbreak will not be encrypted due to a lock on the file.

The only way to recover files that are affect by the above method is to pay the ransom, there is however an
opportunity to decrypt one small file through the Ransom Portal.
1. The Data will need to be restored from the last successful backup before the data was effected, if this is an
incremental backup then you will need to include all the last full and all preceding Incremental in the restore
Job
a. This is determined by the date of the Help Files that are put in the encrypted directories. As the user’s
home drive is normally the first to be encrypted then this is the best place to look.
b. It is however recommended that you do a quick check randomly on other encrypted locations to
ensure that you have the best date and time.
2. To determine the location that need to be restored you will need to reference the location that the Help
Instruction have been moved to.
a. This can be done looking at the directory structure created by the Help file clean up script
i. For a smaller outbreak it may be easier just to restore the 3rd or 4th Directory layer
ii. For an outbreak that renames file it may be easier to just restore the entire share location,
unless the share location is very large, in this case it is better to split the directories into
multiple Jobs, this will ensure that the restore completed quicker.
3. There is a possibility that file that have not been encrypted and modified are over written by doing this is the
full directory path has not been discovered.
4. If the variant has renamed the files you will need to determine if the restore can be run at the same time as
the clean-up, in most cases this will not be possible especially if the affected file are extensive.
a. If this is not possible the restore may need to be scheduled for a later time or the next day.
NOTE: This should be a time that is far enough away to ensure that there is enough space on the destination
server else the restore will fail, when the drive runs out of space

Date: 13th October 2016 Version No.: 1.8

Page 9
 How to Documents
765137662.docx

Appendix A - Sample Scripts

The sample scripts below have been written for a single source sever infection, it is however possible that
the Crypto Ransomware could affect Multiple server as it will look at every Mapped drive that the users has
and encrypt files on each of those drives. In this case these script can be modified to access different servers,
however I would recommend a different script for each server and modifying the Directory that the files are
being moved to so it reflect the server that is affected.
I would also recommend testing that your scripts run initial by using the single drive location initially as this
will display any error on the screen.
NOTE: In most cases you will not need to run the script over the C Drive of a server unless the users actually log
directly on the servers

Help File Script clean-up

Sample Script to remove the Help Files from the server
This an example is for a single Drive Location
This script can be copied and pasted into a Notepad file, saved as a .CMD file then edited with the Source
Server, Source Drives and the Destination Server Locations
@echo off
Goto START

This script will remove the Crypto Help files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that are an
Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET DATE={Enter_Date_in_Reverse_order_ie_YYYYMMDD}
SET SRCSVR={\\ServerName\Drive$}
SET SRCDRV={Drive Letter}
SET DSTSVR={\\ServerName\Drive$ or Drive Letter}
SET FILENAME={Enter the Help File name, if Multiple file are created with different extensions use filename.*}

RoboCopy %SRCSVR% %DSTSVR%\INSTRUCTIONS_%DATE%\%SRCDRV% %FILENAME% /S /MOV /TEE /COPYALL

/LOG:C:\TEMP\Help_Instructions.log

Date: 13th October 2016 Version No.: 1.8

Page 10
 How to Documents
765137662.docx

This an example is for Multiple Drive Location

This script can be copied and pasted into a Notepad file, saved as a .CMD file then edited with the Source
Server, Source Drives and the Destination Server Locations
@echo off
Goto START

This script will remove the Crypto Help files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that are an
Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET DATE={Enter_Date_in_Reverse_order_ie_YYYYMMDD}
SET SRCSVR={\\ServerName\Drive$}
SET SRCDRV1={Drive Letter1}
SET SRCDRV2={Drive Letter2}
SET SRCDRV3={Drive Letter3}
SET SRCDRV4={Drive Letter4}
SET DSTSVR={\\ServerName\Drive$ or Drive Letter}
SET FILENAME={Enter the Help File name, if Multiple file are created with different extensions use filename.*}

REM _____________________________________________________________________________
REM By using the START in front of the Line a new Command windows will be started for each script
REM the Command window will automatically close wen the script has finished.
REM _____________________________________________________________________________

Start RoboCopy %SRCSVR% %DSTSVR%\INSTRUCTIONS_%DATE%\%SRCDRV1% %FILENAME% /S /MOV /TEE

/COPYALL /LOG:C:\TEMP\Help_Instructions_%SRCDRV1%.log
Start RoboCopy %SRCSVR% %DSTSVR%\INSTRUCTIONS_%DATE%\%SRCDRV2% %FILENAME% /S /MOV /TEE
/COPYALL /LOG:C:\TEMP\Help_Instructions_%SRCDRV2%.log
Start RoboCopy %SRCSVR% %DSTSVR%\INSTRUCTIONS_%DATE%\%SRCDRV3% %FILENAME% /S /MOV /TEE
/COPYALL /LOG:C:\TEMP\Help_Instructions_%SRCDRV3%.log
Start RoboCopy %SRCSVR% %DSTSVR%\INSTRUCTIONS_%DATE%\%SRCDRV4% %FILENAME% /S /MOV /TEE
/COPYALL /LOG:C:\TEMP\Help_Instructions_%SRCDRV4%.log

Date: 13th October 2016 Version No.: 1.8

Page 11
 How to Documents
765137662.docx

Encrypted File Script clean-up

This an example is for a single Drive Location
This script can be copied and pasted into a Notepad file, saved as a .CMD file then edited with the Source
Server, Source Drives and the Destination Server Locations
@echo off
Goto START

This script will remove the Encrypted files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that are an
Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET DATE={Enter_Date_in_Reverse_order_ie_YYYYMMDD}
SET SRCSVR={\\ServerName\Drive$}
SET SRCDRV= {Drive Letter}
SET DSTSVR={\\ServerName\Drive$ or Drive Letter}
SET FILENAME={Enter the Help File name, if Multiple file are created with different extensions use filename.*}

RoboCopy %SRCSVR% %DSTSVR%\ENCRYPTED_%DATE%\%SRCDRV% % FILENAME% /S /MOV /TEE /COPYALL /LOG:C:\

TEMP\Encrypted.log

Date: 13th October 2016 Version No.: 1.8

Page 12
 How to Documents
765137662.docx

This is an example of Multiple Drive Locations

This script can be copied and pasted into a Notepad file, saved as a .CMD file then edited with the Source
Server, Source Drives and the Destination Server Locations
@echo off
Goto START

This script will remove the Encrypted files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that are an
Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET DATE={Enter_Date_in_Reverse_order_ie_YYYYMMDD}
SET SRCSVR={\\ServerName\Drive$}
SET SRCDRV1={Drive Letter1}
SET SRCDRV2={Drive Letter2}
SET SRCDRV3={Drive Letter3}
SET SRCDRV4={Drive Letter4}
SET DSTSVR={\\ServerName\Drive$ or Drive Letter}
SET FILENAME={Enter the Help File name, if Multiple file are created with different extensions use filename.*}

REM _____________________________________________________________________________
REM By using the START in front of the Line a new Command windows will be started for each script
REM the Command window will automatically close wen the script has finished.
REM _____________________________________________________________________________

Start RoboCopy %SRCSVR% %DSTSVR%\ENCRYPTED_%DATE%\%SRCDRV1% % FILENAME% /S /MOV /TEE /COPYALL

/LOG:C:\TEMP\Encrypted_%SRCDRV1%.log
Start RoboCopy %SRCSVR% %DSTSVR%\ENCRYPTED_%DATE%\%SRCDRV2% % FILENAME% /S /MOV /TEE /COPYALL
/LOG:C:\TEMP\Encrypted_%SRCDRV2%.log
Start RoboCopy %SRCSVR% %DSTSVR%\ENCRYPTED_%DATE%\%SRCDRV3% % FILENAME% /S /MOV /TEE /COPYALL
/LOG:C:\TEMP\Encrypted_%SRCDRV3%.log
Start RoboCopy %SRCSVR% %DSTSVR%\ENCRYPTED_%DATE%\%SRCDRV4% % FILENAME% /S /MOV /TEE /COPYALL
/LOG:C:\TEMP\Encrypted_%SRCDRV4%.log

Date: 13th October 2016 Version No.: 1.8

Page 13
 How to Documents
765137662.docx

Help File Script clean-up – XenApp and RDS servers

The script below has been designed to run on the C Drive of a XenApp or RDS the users connect to as a
Virtual Desktop. It will need to be run on the server the that the user causing the outbreak was logged on to
at the time of the outbreak, if this has not been determined then it will need to be run on all server in the
environment

@echo off
Goto START

This script will remove the Crypto Help files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that
are an Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET DATE={Enter_Date_in_Reverse_order_ie_YYYYMMDD}
SET SRCSVR={Enter_Server_Name_Here}
SET DSTSVR={\\ServerName\Drive$ or Drive Letter}
SET FILENAME={Enter the Help File name, if Multiple file are created with different extensions use filename.*}

Robocopy "C:\Users\Public" %DSTSVR%\Instructions_%DATE%\%SRCSVR%_Public %FILENAME% /S /MOV /TEE

/COPYALL /LOG:C:\TEMP\Help_Instructions_%SRCSVR%.log
Robocopy "C:\Users\All Users" %DSTSVR%\Instructions_%DATE%\%SRCSVR%_AllUsers %FILENAME% /S /MOV /R:5
/W:2 /TEE /COPYALL /XD "Application Data" /LOG+:C:\TEMP\Help_Instructions_%SRCSVR%.log
Robocopy "C: " %DSTSVR%\Instructions_%DATE%\%SRCSVR%_C %FILENAME% /S /MOV /R:5 /W:2 /TEE /COPYALL /XD
Users /XD “Documents and Settings” /XD ProgramData /XD “System Volume Information” /XD $Recycle.BIN /LOG+:C:\
TEMP\Help_Instructions_%SRCSVR%.log
Note: This script uses the /R and /W switches so that if the script get stuck on a file or directory that it does
not have access to then it will not take many hours to complete. The default Retries is 1,000,000 and
Wait is 30 Seconds.
These script are also run consecutively as there are directories in the C:\User\All Users that are
Symbolic link to the C:\Users\Public.

Date: 13th October 2016 Version No.: 1.8

Page 14
 How to Documents
765137662.docx

Default Folder Exclusion – C Drive

When you are scanning the C: Drive of a server you will need to exclude the following directories from
scanning as they seem to get caught in a loop when running through the clean-up due to the use of symbolic
links.
- Documents and Setting
- Program Data
- Users
- Recycle Bin

This addition will need to be added to the script prior to the Log creation section to exclude these folder
from being scanned – See Appendix C for how to clean up these folders
/XD “Documents and Settings” /XD Users /XD ProgramData /XD $Recycle.BIN
Thus the entire line would look like this:

RoboCopy %SRCSVR% % DSTSVR %\INSTRUCTIONS_%DATE%\%SRCDRV% % FILENAME% /S /MOV /TEE

/COPYALL /XD “Documents and Settings” /XD Users /XD ProgramData /XD $Recycle.BIN /LOG:
Help_Instructions_%SRCSVR%.log

Date: 13th October 2016 Version No.: 1.8

Page 15
 How to Documents
765137662.docx

Appendix B – Real Live Example scripts

Actual Example of exclusion script - AHCS
The quickest and way to determine which file types need to be excluded is to sort the file ion the directory
by file type, slowly scrolling down and recording the file types that have not been encrypted.

NOTE: The number of excluded file type listed, this script needed to be a targeted move as some of the
excluded files had been added to the directory since the outbreak had occurred as HIT was not informed
until 2 days after the outbreak had occurred

@echo off
Goto START

This script will remove the Encrypted files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that
are an Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________
:START

SET SRCSVR=D:\T1\fin1\data\finprod\attachments
SET SRCDRV=D
SET DSTSVR=\\AHCFS1\W$
SET FILENAME=*.*

REM Note: The excluded file types Listed below are specific to this running of the script and where used
REM as not all the files that where in the source directory where encrypted.

RoboCopy %SRCSVR% %DSTSVR%\Encrypted\%SRCDRV%\T1\fin1\data\finprod\attachments %FILENAME% /S /R:2

/W:5 /MOV /TEE /COPYALL /XD $RECYCLE.BIN /XF *.tif /XF *.png /XF *.jpg /XF *.jpeg /XF *.A01 /XF *.PDF /XF *.xls /XF
*.xlsx /XF *.doc /XF *.docx /XF *.msg /XF *.d /XF *.bmp /XF *.txt /XF *.snp /LOG:C:\TEMP\Encrypted.log

Date: 13th October 2016 Version No.: 1.8

Page 16
 How to Documents
765137662.docx

Actual Example of Non re-name Script – Keller

For the version of Crypto that do not rename file you need to move files from the specific directories that are
infected, the scrip below is an Example that was used to do this for a client.

NOTE: This script has Job that will start, when it was actually run 4 of the lines where REM(arked) out. This
script also uses the /XD switch to exclude specific directories as no temp disk was available.
@echo off
Goto START

This script will remove the Encrypted files to a new location so that a restore path can be determined.
__________________________________________________________________
RoboCopy Switches that can be used
/S = Subdirectories except empty ones
/MOV = Move File (copy to new location and delete from destination)
/TEE = Display to screen (not used if run as schedule task)
/LOG+ = Log to file with append to end of file for each running
/LOG = Log to file overwrite file for each running
/COPYALL = Copy all the Attributes including security and ownership – Need to be Run Under credentials that
are an Administrator of the Source Locations
/XD = Switch to exclude an entire directory from being scanned
/XF = Switch to exclude files from being scanned you can also use wildcards
__________________________________________________________________

Please remove the { & } as they are not needed below. eg. SET SRCDRV=F

:START

SET SRCSVR=E:\DATA\PBC
SET SRCDRV=E\DATA\PBC
SET SRCSVR1=E:\DATA\Users Data\PBC-Users\reneeh
SET SRCDRV1=E\DATA\Users Data\PBC-Users\reneeh
SET SRCSVR2=E:\DATA\Roaming Profiles\reneeh.v2
SET SRCDRV2=E\DATA\Roaming Profiles\reneeh.v2
SET DSTSVR=E:
SET FILENAME=*.*
SET FOLDER1=PBC - Business
SET FOLDER2=PBC - Financial
SET FOLDER3=PBC - Payroll
SET FOLDER4=PBC - Production
SET FOLDER5=PBC - Shared
SET FOLDER6="PP & WV - Financial"

Start RoboCopy "%SRCSVR%\%FOLDER1%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\%FOLDER1%" %FILENAME

% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E1.log
Start RoboCopy "%SRCSVR%\%FOLDER2%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\%FOLDER2%" %FILENAME
% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E2.log
Start RoboCopy "%SRCSVR%\%FOLDER3%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\%FOLDER3%" %FILENAME
% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E3.log
Start RoboCopy "%SRCSVR%\%FOLDER4%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\%FOLDER4%" %FILENAME
% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E4.log

Date: 13th October 2016 Version No.: 1.8

Page 17
 How to Documents
765137662.docx
Start RoboCopy "%SRCSVR%\%FOLDER5%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\%FOLDER5%" %FILENAME
% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E5.log
Start RoboCopy "%SRCSVR%\PP & WV - Financial" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV%\PP & WV -
Financial" %FILENAME% /S /MOV /TEE /COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD
instructions_31March /LOG+:C:\TEMP\ENCRYPTED_20160331_FS_E6.log
Start RoboCopy "%SRCSVR1%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV1%" %FILENAME% /S /MOV /TEE
/COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E7.log
Start RoboCopy "%SRCSVR2%" "%DSTSVR%\ENCRYPTED_20160331\%SRCDRV2%" %FILENAME% /S /MOV /TEE
/COPYALL /XD $Recycle.Bin /XD ENCRYPTED_20160331 /XD instructions_31March /LOG+:C:\TEMP\
ENCRYPTED_20160331_FS_E8.log

Date: 13th October 2016 Version No.: 1.8

Page 18
 How to Documents
765137662.docx

Appendix C – Other Clean-up steps

As part of the Clean-up process there are secondary task that will need to be carried out, these can be run in
conjunction with the script that are being run to move the “Help Instruction” and “Encrypted” Files
User Registry Clean-up
There is a high probability that a surprise Easter egg is left behind in the user’s registry, this will also need to
be cleaned up. This Easter egg related to the Pop-up that tell the users that there file have actually been
encrypted. To clean up this the users will need to be off the environment and the step below followed
- Open Registry Editing Tool
- Highlight the “HEKY_USERS” node of the registry
- Load the users registry hive for the NTUSER.DAT file in there Profile, under the “HKEY_USERS”
- Name the new node created the same as the %UserName%
- Browser to the following locations HKEY_USERS\%UserName%\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
- There may be a key in there with the same randomly generated name as found in the C:\ProgramData Folder
that point to the executable in that folder
- If Key exists remove it.
- Unload the Users registry Hive

Once this has been completed it may be possible to re enable the user account.
Local User Profile Clean-up
To clean up the profile folder under C:\Users folder on the XenApp or RDS server you will need to remove
the User profiles from the server using the correct documented process.
For some variant’s you will need to log on to the XenApp or RDS server that the users who caused the
outbreak and check the “C:\Users\All Users” and “C:\Users\Public” folders and see if there are any help file
on the server, a new script has been created to perform this clean up (see Appendix A).

“ProgramData” folder Clean-up

In some cases you will need to perform a manual check over the C:\ProgramData folder of the Citrix server
that the users was logged on to remove the reminder program that is loaded into the user’s profile. There
will be an executable file that has a randomly generated Name such as “wrxlodprs.exe” there will also be a
folder of the same name in this directory that can be safely deleted.

Date: 13th October 2016 Version No.: 1.8

Page 19