Is there any way to check if the current files (files of a computer/user/hard disk/NAS ) have been encrypted with ransomware by a third party?
Would it be possible to open all files according to their file extension (e.g. with Python) and thus get some conclusions about a possible encryption?
I would like to verify that all the files are OK before making any more backup of all the data.
Yes, attempting to open the files will let you know if the files are encrypted. If they are able to be opened, then the files have not been encrypted by a third party.
If the files are not openable, say just a regular .txt file, then its likely it has been encrypted. I say likely, as I am assuming you have a reasonable belief ransomware was on your machine or network.
The best method of recovery is to restore from external backups after cleaning the malware/ransomware. Remember, if the data is important to you, ALWAYS make backups!
Perhaps a more automated approach would be to calculate the entropy for all your files, and raise an alarm if the level is uniformly high.
I don't have an encrypted system to test on, so I can't really guess what a suitable threshold would be, but here's a sketch. Brief experimentation reveals that zip files have an entropy just below 8.0 (like 7.99), while I see values from near 0 to slightly above 7 for regular files of various types. Some PDFs seem to be close to 7.9 (probably they contain compressed member structures?) and various streaming formats like MP4 also come very close to 8.0. But the important question really is whether you have files with a low value somewhere. Various JSON and log files I tested on get a value around 5.
import os
# v v v from http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html
# with a very minor tweak for Python 3
import math
def H(data):
if not data:
return 0
entropy = 0
for x in range(256):
p_x = float(data.count(bytes([x])))/len(data)
if p_x > 0:
entropy += - p_x*math.log(p_x, 2)
return entropy
# ^ ^ end copy/pasted entropy code
maxent, minent = 0.0, 8.0
maxfile, minfile = None, None
for curdir, dirs, files in os.walk("/"): # or "C:/" for Windows victims
for filename in files:
curfile = os.path.join(curdir, filename)
try:
with open(curfile, "rb") as contents:
entropy = H(contents.read())
if entropy > maxent:
maxent = entropy
maxfile = curfile
if entropy < minent:
minent = entropy
minfile = curfile
except (FileNotFoundError, PermissionError, OSError) as exc:
print(f"{curfile}: skipped: {exc}")
print(f"max entropy {maxent} ({maxfile})")
print(f"min entroy {minent} ({minfile})")
Entropy calculation function from the excellent http://blog.dkbza.org/2007/05/scanning-data-for-entropy-anomalies.html and updated for Python 3.
For full-disk scanning, you will probably want to run this with root or admin privileges.
Method 1. Use Professional Virus Attack Data Recovery Software
Before data recovery, you can see the workflow of most ransomware.As you can see from the graph, the encrypted files created by the ransomware are not real files but just copies. The original files are not encrypted directly but are deleted by the virus. Therefore, you can use a data recovery tool to recover deleted source files. As long as the data recovery software finds the deleted source files, then data recovery will be very possible.
Try using the EaseUS Data Recovery Wizard as a first attempt. This leading file recovery software is capable of recovering files infected by Locky virus, such as CryptoLocker and other ransomware viruses.
Method 2. Restoring Data from System Backup
If the data recovery program doesn't work, and you happen to have made a system backup, then you can try to recover the virus-infected files using Windows backup. You can recover data from even worse scenarios this way. Therefore, setting up Automatic Windows Backup is a very useful way to prevent data loss.
Open Control Panel, click "System and Security" > "Backup and Restore" > "Restore files from backup". On the Backup and Restore screen, click "Restore my files" and follow the wizard to restore your files.
