CryptoSearch helps to locate affected files in case of ransomware attack


There’re a lot of threats on the Internet nowadays, but coming upon ransomware definitely takes one of the top spots on the list of things that should be avoided. And with good reason – those types of programs usually encrypt your data and demand to pay money for you to be able to use it again. You may get lucky and be infected with a variant that only locks you out of the computer, without affecting the files, but there’s also the other side of the spectrum – vicious programs that not only encrypt your data, but your hard drives as well. This is a sticky situation, to say the least, and getting out of it may prove to be very difficult. Not impossible, mind you – but still very difficult.

Luckily, there’re some strides being made by security researchers. The tool named CryptoSearch was developed by Michael Gillespie and put out in 2016. We should note that it’s a beta release as of now, but it already has its main functionality – it allows you to locate all the files that have been affected by ransomware and then put them in the single folder. This is done with a purpose of storing affected data in one place and being able to decrypt it once the appropriate tool is released. It allows to save a lot of time, but good things don’t end there – CryptoSearch also connects to ID Ransomware and gets malware definitions. It means that it can’t work to the fullest if there’s no Internet connection, but on the other hand, it will always have the latest information about ransomware families, making the development of the decryption tools much easier. In the words of Michael Gillespie, “It will identify files by known filename pattern or extension, or for some variants, the hex pattern in the encrypted file.”

As soon as the program is installed, it connects to the database and downloads the latest ransomware data. This is the only thing that CryptoSearch uses the Internet for – it doesn’t collect personal data and it doesn’t share it with anybody else. So the user’s privacy remains untouched.

The definitions that have been used are saved to a file which is then stored in the folder that contains CryptoSearch itself. This means an ability to work offline when there’s no Internet connection or the ID Ransomware is down. And even that is not the end – you can use this software to locate particular extensions or byte patterns, and the search has several options – List Files, which shows you the files that have been affected, List Clean folders, which lets you see folders that don’t contain encrypted data, Search Directory, which allows you to find a needed directory, and Search Computer, which gives you an ability to scan your entire system, including mapped drives.

When you scan the computer, you have an option of Export list, which saves all the names of encrypted files to a separate text document, or Archive Files, which lets you move the ones that have been affected to a desired folder. And they’re not just moved there – they retain the folder structure and drive letter. This means that once the decryption tool is released, you will be able to use your data as if nothing has ever happened.

But make no mistake about it – CryptoSearch isn’t designed for data decryption. It’s a tool that helps you keep the files organized if your computer has been infected by ransomware. Still, it’s a very useful application and Michael Gillespie should definitely be commended for his efforts. It’s always good to have a program that makes combating ransomware a bit easier and it’s very interesting to see what features CryptoSearch will include once it reaches version 1.0.


Please enter your comment!
Please enter your name here