06-16-2015, 07:53 PM
Thought I would post the below to anyone interested in what appears to be one way of getting data back.
I had a customer last month whose user id got corrupted. Thus, I created a new user id, copied all her documents from corrupted user id to newly created id. I left all her documents in the old id.
Yesterday she became infected with the Cryptowall 3.0 Ransomeware, plus a whole bunch of other viruses were in her computer. All her documents under the current user id were encrypted. All shadow copies were deleted. She had no backups.
NOW FOR THE INTERESTING FACT: Her documents in the old, corrupted user id were intact. Thus, after removing the Cryptowall 3.0 virus, plus all the other viruses; I copied her files from old id to new id. Thus she got back all her documents, although 3 weeks old.
I was completely surprised that Cryptowall did not encrypt documents in the non-active user id's - just thought I would pass this on to whomever may find it interesting. Hopefully this is not a fluke.
I had a customer last month whose user id got corrupted. Thus, I created a new user id, copied all her documents from corrupted user id to newly created id. I left all her documents in the old id.
Yesterday she became infected with the Cryptowall 3.0 Ransomeware, plus a whole bunch of other viruses were in her computer. All her documents under the current user id were encrypted. All shadow copies were deleted. She had no backups.
NOW FOR THE INTERESTING FACT: Her documents in the old, corrupted user id were intact. Thus, after removing the Cryptowall 3.0 virus, plus all the other viruses; I copied her files from old id to new id. Thus she got back all her documents, although 3 weeks old.
I was completely surprised that Cryptowall did not encrypt documents in the non-active user id's - just thought I would pass this on to whomever may find it interesting. Hopefully this is not a fluke.