File Query Cookbook

Welcome to the File Query Cookbook

Select your product to see relevant content.

You can change this anytime from the site options in the header.

File Query Cookbook

File Query Cookbook
Site Configuration

Files Renamed by Ransomware

Updated:
Galileo File Reporter File Reporter OES
25.2+ 25.2+ 24.4+ 3.6

Summary

Identify potentially affected files based on typical file extensions added by various ransomware variants.

Details

This SQL query searches for file extensions used by various ransomware variants.

Finding a file with one of these extensions does not necessarily mean the file has been encrypted, but it provides a quick check for common patterns and helps identify files that may need to be restored from backup.

In this example, we search for the extensions decrypt, crypt, and wncry — some of the more common extensions used by several “Crypt_*” variants and the notorious WannaCry variant.

Note that the file extension field in the collected scan data is normalized to lowercase, so file extensions should be searched in lowercase as well.

Code

SELECT
    sd.fullpath,
    sd.name,
    sd.size,
    srs.byte_string(sd.size) AS size_string,
    sd.owner_display_name
FROM
    srs.current_fs_scandata AS sd
WHERE
    sd.filename_extension IN ('decrypt', 'crypt', 'wncry')

Downloads

Not available

Sample Report

Not available