Latest Update 11/5/2015:
Updated for CryptoWall 4.0 Detection : Updates were made to detect files related to CryptoWall 4.0 that was just released. Also, the output directory name of files now includes the username given as an argument.
A response tool to help in determining whether a machine has been infected with Crypto Ransomware.
+ crsponse -user <user> -all Check for files, processes & reg keys
+ Crsponse -user <user> -reg Check for known effected reg keys
+ crsponse -user <user> -proc Check for known effected processes
+ crsponse -user <user> -files Check for known effected files
+ crsponse -user bond -all
+ crsponse -user batman -reg
+ crsponse -user superman -proc
+ crsponse -user spiderman -files
1.All files in relevant Crypto Ransomware directories and 1 subdirectory deep of that directory, such as %AppData% or %ProgramData%.
2. All processes running on machine. %computername%_info\%computername%_processes.csv
3. All registry keys that can be used by Crypto Ransomware. %computername%_info\%computername%_registry_keys.csv
4. Summary of files, processes, and registry keys. This will remove the “noise”, so that you can perform quicker analysis to determine whether a machine is infected with Crypto Ransomware. Crypto Ransomware related files, such as splash screens would be in this summary file. The file will also contain any processes running out of known Crypto Ransomware directories. Lastly, it will contain all registry values in registry keys used by Crypto Ransomware, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run. %computername%_info\%computername%_files_SUMMARY.csv
Supported Platforms: Windows
Download : crsponse.zip
Source : https://github.com/hawkbluedevil