If you head over to the following site you can pick up the ransomware restore module that we use at my work to recover quickly from ransomware infections.
If you go through the code you can view how the module detects the files that are encrypted (or you can read this) and interacts with netapp snapshots to restore the files. The basic gist is that the module creates a hidden share from the netapp and uses a few other modules (ntfssecurity and dataontap) to then copy the files to the destination location. It’s nothing overly complex, but when dealing with ransomware (and provided you have a netapp) this can make your restoration a cinch.
edit: you can use the module even if you don’t have a netapp to at least find the type of ransomware you have as well as to find the encrypted files in your environment.
That’s it for today. Saturday I want to explore passing objects to compiled Sapien executables from powershell studio.