Intro
A few months ago a friend contacted me about ransomware that infected his parents’ desktop computer. This particular ransomware was a variant of Locky named Osiris. In addition to encrypting the files, it scrambled the filenames making it impossible to identify files.
Fortunately for them, they had fairly recent backups of most of their files. Unfortunately, they didn’t have backups of files in their Google Drive. All hope was not lost, however. While Google Drive doesn’t have a restore entire account to a previous state in time feature, they do keep a revision history for each of your files. Thankfully we verified that the files did, in fact, have previous versions containing the unencrypted and originally named files.
Automating the Removal
Now that we knew remediation was possible, we needed to find a way to automate the recovery of hundreds of files. Luckily I found a repository on Github with a script that Catalysts wrote to do this process. The only problem was that it was written for a different variant of ransomware.
After making some modifications, I was able to get it to work! Because the malware scrambled the original filename, I had to add logic to retrieve the original filename from its revision history.
You can find my fork of the repository here.