January 19, 2017
Security researcher Michael Gillespie has developed a new Windows app to help victims of ransomware infections.
Named CryptoSearch, this tool identifies files encrypted by several types of ransomware families and provides the user with the option to copy or move the files to a new location, in hopes that a decrypter that can recover the locked files will be released in the future.
Gillespie developed the app as a recovery and cleaning utility for computers that have been infected by undecryptable ransomware strains.
In these cases, it is impossible for PC owners to recover locked files, so the best course of action is to move all the encrypted data to a backup drive and wait until security researchers find a way to break the ransomware's encryption.
Gathering all encrypted files is a different story. Ransomware works by encrypting file types, and not folders, so victims usually have encrypted files spread all over their PC, not in a few central locations.
This is where CryptoSearch comes to help, by automating this search process, and the movement of these files to a new location. Once this operation finishes and PC owners have a backup of the encrypted data, they can clean up the computer by removing the ransomware's file, or optionally, wiping the hard drive and reinstalling the entire OS.
CryptoSearch works together with ID Ransomware
Under the hood, CryptoSearch works in tandem with the ID Ransomware service, meaning you have to be online when running the app.
According to Gillespie, CryptoSearch will query the ID Ransomware service in order to retrieve data needed to identify the type of ransomware that has locked the user's PC.
"This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their signatures," Gillespie wrote today on the Bleeping Computer forums, where he officially launched the app.
"When CryptoSearch is first launched, it will contact the website, and pull down the latest information on known extensions and byte patterns," Gillespie added. "It will identify files by known filename pattern or extension, or for some variants, the hex pattern in the encrypted file."
CryptoSearch uses this database to search the local file system, identify the ransomware infection, and then find all files locked by that ransomware.
Once CryptoSearch has identified all files, the user is prompted via a menu and asked if he wants to move or copy the files, and then asked where to relocate the encrypted data.
Gillespie says that CryptoSearch is smart in the way it transfers files, keeping the initial folder structure. For example, files found in "C:\Test\Folder" will be moved to "J:\Backup\C\Test\Folder"
CryptoSearch is currently in a beta development stage, meaning more features will arrive in the future.
One of the currently requested features is an "offline mode" that will include static copies of the ID Ransomware database so that CryptoSearch could be used on computers not connected to the Internet.
Users asked for this feature because it's a standard practice in the case of ransomware infections to isolate computers by taking them offline. There's no timeline for this feature, so you'll have to keep an eye on Gillespie's Twitter feed or the CryptoSearch Bleeping Computer forum topic. CryptoSearch can be downloaded from here.