Last active
October 10, 2024 17:58
-
-
Save bengalih/b71c99808721d13efda95a36c126112e to your computer and use it in GitHub Desktop.
RARBGRansomRecovery.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################## | |
| # RARBGRansomRecovery.ps1 | |
| # v.0.1.1 | |
| # by bengalih | |
| # You may need to set your PoweShell Execution policy as below: | |
| # Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force | |
| # If that doesn't work try: | |
| # Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass | |
| # Tested on PowerShell 2+ Windows 7 and Windows 11 | |
| ############################################################################## | |
| # Base64 signature for the embedded PNG | |
| $base64Signature = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAOsAAACxAQMAAAAf0dgHAAAACXBIWXMAAA7EAAAOx" | |
| # Get the current directory from which the script is run | |
| $baseDirectory = Get-Location | |
| # Path to ProgramData | |
| $baseProgramDataPath = "C:\ProgramData" | |
| $cryptodomeFolderName = "Cryptodome" | |
| # Initialize an empty ArrayList to store paths | |
| $cryptodomeFolders = New-Object System.Collections.ArrayList | |
| # Pause before continuing | |
| Write-Host "First, the script will search for traces of the RARBG 'Ransomware' virus and attempt recovery" | |
| Write-Host "`nPress Enter to continue..." | |
| [void][System.Console]::ReadLine() | |
| # Search for any folder named "Cryptodome" within all subdirectories | |
| $allFolders = Get-ChildItem -Path $baseProgramDataPath -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.PSIsContainer } | |
| foreach ($folder in $allFolders) { | |
| if ($folder.Name -eq $cryptodomeFolderName) { | |
| $cryptodomeFolders.Add($folder.FullName) | Out-Null | |
| } | |
| } | |
| if ($cryptodomeFolders.Count -gt 0) { | |
| Write-Host "Found 'Cryptodome' folder in the following locations:" | |
| foreach ($folder in $cryptodomeFolders) { | |
| Write-Host "- $folder" | |
| } | |
| Write-Host "`nYou should delete those parent folders." | |
| } else { | |
| Write-Host "No 'Cryptodome' folders were found in: $baseProgramDataPath" | |
| } | |
| # Pause before continuing | |
| Write-Host "`nThe virus tries to delete itself after running, so the source folder may not exist any longer." | |
| Write-Host "`nHowever, you should also remove the contents of your %TEMP% folder." | |
| Write-Host "`nThe script will now attempt to remove all the infected .htm files and recover your data." | |
| Write-Host "`nPress Enter to continue..." | |
| [void][System.Console]::ReadLine() | |
| # Initialize an empty ArrayList for the report | |
| $report = New-Object System.Collections.ArrayList | |
| # Function to search and recover files | |
| function Search-And-Recover { | |
| param ( | |
| [string]$path | |
| ) | |
| # Find all .htm files recursively | |
| Get-ChildItem -Path $path -Filter "*.htm" -Recurse | ForEach-Object { | |
| $htmFile = $_ | |
| $content = Get-Content -Path $htmFile.FullName -ErrorAction SilentlyContinue | |
| # Check if the content matches the base64 signature | |
| if ($content -like "*$base64Signature*") { | |
| # Log found file matching the signature | |
| Write-Host "Found file: $($htmFile.FullName) - matches signature" | |
| # Delete the .htm file | |
| Remove-Item -Path $htmFile.FullName -Force | |
| Write-Host "Deleted file: $($htmFile.FullName)" | |
| # Determine the original file name by removing the .htm extension | |
| $originalFileName = [System.IO.Path]::GetFileNameWithoutExtension($htmFile.FullName) | |
| $originalFilePath = Join-Path -Path $htmFile.DirectoryName -ChildPath $originalFileName | |
| # Try to get the original file, including hidden files | |
| $originalFile = Get-ChildItem -Path $htmFile.DirectoryName -Filter $originalFileName -Force -ErrorAction SilentlyContinue | |
| if ($null -ne $originalFile) { | |
| # Check if the original file is hidden | |
| if ($originalFile.Attributes -band [System.IO.FileAttributes]::Hidden) { | |
| # Unhide the original file | |
| $originalFile.Attributes = $originalFile.Attributes -bxor [System.IO.FileAttributes]::Hidden | |
| Write-Host "Restored file: $originalFilePath" | |
| # Add the restored file to the report | |
| $report.Add($originalFilePath) | Out-Null | |
| } | |
| } else { | |
| Write-Host "$originalFilePath does not exist and cannot be restored." | |
| } | |
| } else { | |
| Write-Host "File: $($htmFile.FullName) - does not match signature" | |
| } | |
| } | |
| } | |
| # Call the search and recover function | |
| Search-And-Recover -path $baseDirectory | |
| # Generate a report of restored files | |
| if ($report.Count -gt 0) { | |
| $reportFilePath = Join-Path -Path $baseDirectory -ChildPath "RestoredFilesReport.txt" | |
| $report | Out-File -FilePath $reportFilePath | |
| Write-Host "Report of restored files saved to: $reportFilePath" | |
| } else { | |
| Write-Host "No files were restored." | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment