Introducing an example to restore files encrypred by a ransomware

Author: tonyqui

example/restore-after-ransom-infection/README.md

@@ -0,0 +1,22 @@
+# Restore after ransom infection
+## A Dropbox API sample app to show Python SDK and get rid of ransom in your dropbox
+
+# How to run
+Make sure you've installed the Dropbox Python SDK by following the installation instructions ( https://www.dropbox.com/developers/documentation/python#install ). 
+
+Then, find this line in restore-after-ransom-infection.py and modify it to include your own access token. 
+```TOKEN = ''```
+
+From the example/backup-and-restore directory, run the script.
+```python3 restore-after-ransom-infection.py```
+
+# Description
+## Functionality
+1. Gather files encrypted by a ransomwhere.
+Once encrypted a new encrypted copy of your files is saved into your dropbox; whereas the original copy is flagged as to be deleted. Your only task here is to identify the new extension (*.rap in my case) and to change the code accordingly.
+
+2. For each file matching the regular expression the script gathers the latest revision of the original file and restores it if still flagged as deleted. 
+
+# API usage
+## New v2 endpoints
+This app uses the Dropbox API v2 endpoints files_list_folder, files_list_folder_continue, files_list_revisions, files_restore and files_delete.

example/restore-after-ransom-infection/restore-after-ransom-infection.py

@@ -0,0 +1,63 @@
+'''
+This example shows how to interact with Dropbox API to restore files encrypted by a ransom.
+Even if a ransom deletes original files from the file-system, dropbox still keeps old copies.
+We restore the last available revision of a file.
+Optionally encrypted files can be deleted with no harm (they're unrecoverable anyway).
+'''
+
+import dropbox
+import sys
+import re
+
+files = []
+has_more = True
+
+def gather_elements(folderList):
+    for entry in folderList.entries:
+        # rap here is the extension of ransom' encrypted file
+        if re.search('.rap$', entry.name):
+            files.append(entry.path_lower)
+
+# Here goes the token generated by your dropbox app
+TOKEN = ''
+dbx = dropbox.Dropbox(TOKEN)
+dbx.users_get_current_account()
+folderList = dbx.files_list_folder('', recursive=True)
+
+while has_more:
+    gather_elements(folderList)
+    if folderList.has_more:
+        folderList = dbx.files_list_folder_continue(folderList.cursor)
+    else:
+        has_more = False
+
+# Examine all the files encrypted by the ransom
+for f in files:
+    try:
+        # Check that it is still marked as deleted
+        fileName = f.replace('.rap', '')
+        # Take the version of the file before being encrypted
+        last_revision = dbx.files_list_revisions(fileName,
+                        mode=dropbox.files.ListRevisionsMode('path', None), limit=1)
+        # If not there yet, let's restore it
+        if last_revision.is_deleted is True:
+            print('Restoring {} with revision {} ...'.format(fileName, 
+                    last_revision.entries[0].rev))
+            dbx.files_restore(fileName, last_revision.entries[0].rev)
+        else:
+            # If it was already restored somehow, keep it untouched
+            print('File {} was already in place, no action performed'.format(fileName))
+            continue
+    except Exception as ex:
+        print(ex)
+        continue
+sys.exit(0)
+
+# To delete files, comment previous call to sys.exit(0)
+for f in files:
+    try:
+        print("Finally deleting {}".format(f))
+        dbx.files_delete(f)
+    except Exception as ex:
+        print(ex)
+sys.exit(0)