I am new to this site but looking forward to taking advantage of a great resource.
I'd like to ask about the behavior of a ransom-ware type virus that recently infected my network. We recently had a situation where the virus encryption files were discovered on a mapped network drive and in the process of encrypting. Analysis showed ownership of the dropped files to be a user workstation. The workstation was taken offline and the server files restored from backup. All good. However, I expected the users PC to be encrypted and unusable. This was not the case, no ransom-ware splash page etc. Additional analysis showed the files were dropped on the PC 47 days before they began encryption on the mapped drives.
Any thoughts? Thanks.