CryptoLock(Variant) repair script

Use this script to search for files that have .encrypted appended to their name and replace them with a version from shadow copy

This powershell script will create the symlink given the ShadowCopy name you provide, it will then search the folder specified and replace all effected files removing the encrypted versions.


This script is modified version from here –

Function New-SymLink ($link, $target)
#if (test-path -pathtype container $target)
$command = "cmd /c mklink /d"
#    $command = "cmd /c mklink"

invoke-expression "$command $link $target"
Function Remove-SymLink ($link)
if (test-path -pathtype container $link)
$command = "cmd /c rmdir"
$command = "cmd /c del"

invoke-expression "$command $link"

# Before running this script:
# Use: vssadmin list shadows to find the latest unencrypted shadow copy - see the date & time they were created
# Record the Shadow Copy Volume, and use this to create a symbolic link:
# Create a folder to hold the symbolic link: md C:\VSS
# Then use: cmd /c mklink /d C:\VSS\67 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1555\
# You need to add a trailing backslash to the Shadow Copy Volume name produced by vssadmin.
# Once done, remove the symbolic link by using: cmd /c rd C:\VSS\67

# This is the path on the file server that got encrypted:
$EncryptedPath = "E:\File Shares\"
# This is the path to your shadow copy symbolic link:
$VSSPath = "c:\vsstemp\"
# File extension that the encrypted files have:
$Extension = ".encrypted"
# File name (minus extension) used for the "How to get your stuff unencrypted" files:
$RecoverFileFilter = "HOW_TO_RESTORE_FILES"

#Be sure to inlcude the trailing \
#The folder to be used temporarily to mount the VSS snapshot

Remove-SymLink( $VSSPath )

$FileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$Extension -Recurse -Force
$TotalFiles = $FileList.Count
Write-Host ("Found "+$TotalFiles)
$Counter = 0
foreach($EncryptedFile in $FileList){
$DestFileName = $EncryptedFile.FullName.Replace($Extension,"")
#$VSSFileName = $DestFileName.Replace("F:\",$VSSPath)
#Strip the first 3 characters from the full path and replace it with the temporary VSS path
$VSSFileName = "$VSSPath$StrippedName"

# Use LiteralPath to prevent problems with paths containing special characters, e.g. square brackets
Copy-Item -LiteralPath $VSSFileName -Destination $DestFileName -ErrorAction Stop
Remove-Item -LiteralPath $EncryptedFile.FullName -Force
Write-Progress -Activity "Fixing" -Status $DestFileName -PercentComplete ($Counter/$TotalFiles*100)
Write-Progress -Activity "Fixing" -Completed
Write-Host "Done recoverying files. Now cleaning up."

$RecoveryFileList = Get-ChildItem -LiteralPath $EncryptedPath -Filter *$RecoverFileFilter* -Recurse
foreach($RecoveryFile in $RecoveryFileList){
Remove-Item -LiteralPath $RecoveryFile.FullName -force -ErrorAction Stop