RansomNoteCleaner - Remove Ransom Notes Left Behind

RansomNoteCleaner

RansomNoteCleaner (beta) is a program I have created to help remove pesky ransom notes left behind by known ransomware variants.

This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their ransom notes. This also allows it to be flexible in detecting the ransom notes, as it uses the exact same data ID Ransomware uses for identifying variants.

When RansomNoteCleaner is first launched, it will contact the website, and pull down the latest information on known ransom notes; this is the only network activity done with the program, and no information about your system is uploaded or stored at all. If you have a network issue with reaching the website, the "Refresh Network" button is available to try again.

Clicking the "Select Ransomware(s)" button allows for selecting the exact variant(s) to clean ransom notes from. This is recommended if you have already identified the ransomware, as it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you may press the "Search for Ransom Notes" button to select a directory (or whole drive), and start the search for known ransom notes.

Once the scan has completed, the "Clean!" button will be available. A final window will display all found ransom notes before continuing with deletion. I highly recommend double-checking the file list before confirming the deletion. I am not responsible for loss of data if you confirm this step.

A full log of deleted ransom notes will be saved to a file "RansomNoteCleaner.log" in the same directory RansomNoteCleaner is run from.

Please note that this program does not decrypt data. It is simply a tool for removing the pesky ransom notes that are littered on the system after a ransomware attack.

Please also note that this program is in beta, and I take no responsibility for data loss. I recommend running it on a test directory before letting it loose on a whole drive. I highly advise reviewing the "Found Ransom Notes" screen before continuing with deleting files. A few false-positives may occur, as some ransomware use general filenames - one example I found, is a certain ransomware uses "README.txt", which can be a common name for a legitimate program's readme file; you can simply unselect these in the confirmation window.

You may download RansomNoteCleaner here: http://www.bleepingcomputer.com/download/ransomnotecleaner/

Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.

Please let me know if you run into any issues, or any recommendations for the program.

Edited by Demonslay335, 17 January 2017 - 06:47 PM.

awesome idea! great job yet again

maybe a feature to move all notes to a selected folder or even make a archive of them to help prevent accidental removal of any misinterpreted files

Edited by TheTripleDeuce, 13 June 2016 - 07:20 PM.

awesome idea! great job yet again

 

maybe a feature to move all notes to a selected folder or even make a archive of them to help prevent accidental removal of any misinterpreted files

That's a pretty good idea, I'll think about implementing that as an option. The trick would be preserving folder structure so it doesn't overwrite like crazy.

could it be possible to change the filename to reflect the directory path it was imported from?

Ransomnote.txt

would become

c:/windows/ransomnote.txt

or something along those lines

kinda use the same trick ransomware does when renaming encrypted files but simply rename them where the file was found

overwriting could be good however as it may be able to prompt different file sizes to append a (1) (2) to the filename

so:

ransomnote.txt 26 bytes

ransomnote.txt(1) 26 bytes

ransomnote.txt 52 bytes

or even move the different file sizes for ransomnote.txt into different folders in the selected directory for sorting?

(just spitballing ransomnote.txt as a example filename lol)

Yes, nice SW

What could be done to "remove" false positives is the selct which notes to look for. I.e the readme file.

Simply deselect it before the scan is performed so that file is not scanned for.

Or if a file is scanned for, the size can be compared to other files with the same names.

Simply make the verifying process more secure. I guess you in addition to the signature of the files, could have a SHA1 of them som you can simply compare if the files spread on the computer has the same content.

One bug fix maybe, resize the program, then the select ransomware(s) keeps the same size, making it difficult to select all

notes.

Great work.

Regards

Edited by vilhavekktesla, 14 June 2016 - 01:08 PM.

Yes, nice SW

What could be done to "remove" false positives is the selct which notes to look for. I.e the readme file.

Simply deselect it before the scan is performed so that file is not scanned for.

Or if a file is scanned for, the size can be compared to other files with the same names.

Simply make the verifying process more secure. I guess you in addition to the signature of the files, could have a SHA1 of them som you can simply compare if the files spread on the computer has the same content.

 

Great work.

 

Regards

A hash of the ransom note would be useless (thus why I don't use it on IDR), since ransom notes typically have the victim's ID, private BTC address, differing contact addresses, etc. One character change, and the entire hash is drastically different.

I could possibly see about adding a dialog to select individual notes. Was trying to not over-complicate the GUI.

Demonslay335, Very good idea! Thank you!

 

Yes, nice SW

What could be done to "remove" false positives is the selct which notes to look for. I.e the readme file.

Simply deselect it before the scan is performed so that file is not scanned for.

Or if a file is scanned for, the size can be compared to other files with the same names.

Simply make the verifying process more secure. I guess you in addition to the signature of the files, could have a SHA1 of them som you can simply compare if the files spread on the computer has the same content.

 

Great work.

 

Regards

 

A hash of the ransom note would be useless (thus why I don't use it on IDR), since ransom notes typically have the victim's ID, private BTC address, differing contact addresses, etc. One character change, and the entire hash is drastically different.

 

I could possibly see about adding a dialog to select individual notes. Was trying to not over-complicate the GUI.

 

Hi, I agree about this vs different notes. My thoughts were these. For one user, one ransomnote is identified by name, then a sha is made, then anonther note is found on the same computer with the same name, another sha and these notes are compared. If they differ the user is informed. Not that notes from one user is compared to another user.

That way you may be able to remove false positives, or at least present them. The program, could then "show the content of the file" (preview, so the user could check it.

Not by browsing through the whole list, but the program could auto present possible candidates. First the signature on id ransomware is used, but after the scan the users files are used.

It is rather unlikely multipple different ransomwares are found on on computer, but it is very likely multipple files from the ransomwares are found, as html, png, jpg, txt-files etc, this is where I mean sha can be used to "differ" local files with same names, but different content. And the time stamp could also be "collected" to indicate all happened at the same time.

In other words, adds a few extra level, and yes complicate the program for the creator maybe, but avoid some options for the users, unless all "tests" fail or give different results.

I was thinking in that alley.

I have a say. Adding security and simplicity is very demanding, not for the user alone, but for the ones adding these levels. The only way to add less of security and simplicity is to have more educated users. Inside a comany this is possible, but for world wide audience, then adding these levels are needed, so the work from the author / creator of the SW increases dramatically. Of course you may say you are not responsible for what th user(s) remove, but you still try to avoid removing thing that could be needed.

And you could maybe add, this task, The rasom notes will be erased, are you sure you have gotten rid of the encryption, and fixed all encrypted files... etc. As the notes could be needed to be able to fix. Maybe one not can be kept and backed up to a certain location, to help the victim...

Then like with Tesla, key.dat, registry key etc, thay are also "ransom notes" but they could be needed, so maybe give th user the chance to keep them backed up for future use.

In other words, after the scan is completed. ( I had to repeat scan for each drive, could not select scan computer) then Preset to the user. These and thes notes were found, indicating you had these and thes ransomwares, then allow the user to select which to remove, and which to get more info about.

The whole idea with the cleaner is to get rid of "trash" when the user(s) have fixed their other issues, not remove their last chance of recovering. Again with Tesla .vvv the notes are not important, since all in included in each encrypted file, but for other versions some other files are needed for successfully fixing the problem, those, one of a kind notes should not be simply removed, but instead the user should be giving the option to back them up.

You are the expert, and the only one that knows the full correlation between files and what is needed or not. The users are the less educated, so if they should be given the option to select / deselect, the choices should be as secure as possible.

Now I use my self as an example. I run this program, I am quite cautious, and I know what I'm doing. I get presented a list like this, with hundreds of notes.

First I would want to have a preview log file in txt format, so I can open it. Then I would need to see if there are more than one type, and if so, I need to find out which.

so based on notes, I need the notes attached to the possible ransomware types. Then when that is ok, I need to see where the notes are found

Based on this investigation, I deselect three files, I think can be false positives ( I can simply rerun the program for another search another time so, reducing the list is good).

Ok, no as a user I'm as sure as possible, the notes are not needed, so I remove them. I get another log file, what was removed ( you already have this).

I'm happy mots notes are now removed, and rerun the program. Only three notes were found, I use the preview function, or the programs feature, go to locations ( browse location and examine the files. Two were ordinary readme files and I leave them, and erase the last file. I do another scan and find only two files (false positive)

Another thing as mentioned above is this backup thing, but instaed of backing up 2000 identical notes from 2000 locations on the system, one can be backed up a sha with th others are made to make sure all the 1999 others are the same. If so the file location is not that important anymore, and by having a log-file backed up to the same location could help.

This backup location could smiply be my documents or the desktop if you like (make sure the user is allowed to back up...)

As you understand now, the program will be more complicated, yes, but not neecesarily more complicated for the user, only for the author.

Regards

@vilhavekktesla

All very good input. I understand where you are coming from now. I do agree about keeping the miscellaneous files like key.dat; files like that are not tagged on IDR, so they would be safe, but indeed keeping at least one of the ransom notes may be needed if the user does decide to pay the ransom or something don the road.

I like the idea of providing extra information on the ransomwares that had notes detected - I can integrate it with IDR more to provide more information from that angle.

I appreciate the input. I wanted to get this project out since so many people have asked how to remove the ransom notes easily, and I feel like the current solutions weren't very satisfactory - duplicate file removers can be a bit cumbersome and possibly not reliable with some ransomwares that change the filename (even on the same system, Mobef is an example); using the Windows search function is terrible and can't really select all at once; and it's dangerous guiding a user through command line to use a hack-jobbed batch script.

Very good.

I can tell what I have done, when I was acting with computer access.

I know there are programs to seacher, and Windos is certaily the worst.

I used Totalcommander with both filters and load own filters, I used dir with lots of parameters /a, /b /s and even data parameters.

I accept no false positives as you probaly know. I sent all with >> to log files. I also used xcopy with bothe parameters to copy empty folders etc, to "replicate" the current structure, but even so, I started with image backup... just in case

The whole idea since erasing things too automatically is somthing I dislike alot, look what SH tried to do, they did not want to remove keys in regisrty, but they did, they were simply incompetent, and possibly made more problems than Tesla did, as with SH the user expected the solution to work, and then after a restart the problem was doubled.

Of course you can have disclaimers, bu I dislik those too Better to make it so secure that the disclaimer is just to say, althoug I have done all I can to prevent problems you are the actual user performing this. At least if the program creates a log file, the user can ask for a second opinion, event this can be just as "dangerous" not showing the ransome notes but providing a rougue user some nice to know info about the victims file structure.

What I do like though is all your initiatives, and the capability to to implement them

I can solve things, but I'm not so goof making the programs. My mid alos like to do things manually and not reliy on auto-things

That is why I like all the log-files or act after log files. Like the lates versions from TD, decrypt list / act on list...

Looking forward to seeing the next version.

Have you tested the SW with different OS's too. I can test with XP, W7, W7 32 bit and W7 64 bit, with both international Windows and language specific languages.

Best regards

This program doesn't work........Duplicate Cleaner Free does work very well.for this nonsense.....If you have leftover ransom notes, logic dictates that you  probably know the ransomware that caused them.............

This program doesn't work........Duplicate Cleaner Free does work very well.for this nonsense.....If you have leftover ransom notes, logic dictates that you  probably know the ransomware that caused them.............

What issue did you have with the program? I can only fix any problems if you give proper constructive criticism. User's don't always know what hit them (thus the point of the ID Ransomware service), and I've had some people still have issues with duplicate remover programs for this task.

@Demonslay335

I have russian-speaker user which was use RansomNoteCleaner for Tesla's messages. Log here http://speedy.sh/DzmPz/RansomNoteCleaner.7z (password - virus)

But not all files were clean. Why so could happen?  

I have released RansomNoteCleaner v0.9.2.0. This version allows you to save a list of the ransom notes found, and also conversely load a list of ransom note files. I have also fixed window resizing to stretch the textboxes; this should make seeing long paths easier.

https://download.bleepingcomputer.com/demonslay335/RansomNoteCleaner.zip