I am just asking in case someone has already done the analysis. A customer has a large set of network drives that were mapped to a CryptoLocker infected machine. The infection itself has been treated. I am looking for a tool or just a binary pattern to match to verify that a file is not encrypted based on a header/identifying characteristic of some sort in the file itself.
Yes, I know the list of encrypted files is in the infected machine's registry. We are looking for direct verification.
To clarify: We know what extensions could be affected, I am just looking for a way to check if a specific file is encrypted without having a human double clicking on it. Millions of files potentially affected so a manual test is not an option. Thus far my fallback is good ol' "file" which will give me a confirmed OK, but only on some file types.
I haven't found any commonalities between sample encrypted files yet, other than "that looks random".