The message has a little different formatting and text but otherwise the same idea. The full message is:
"Your hard drive is securely encrypted. To buy password send an email to firstname.lastname@example.org with the code 1143." After this message you are allowed to type in text to supply a password.
The drives show up with a driver letter in Windows (on another machine) but the partition is RAW and shows as being healthy, active and primary within Diskmgmt. - This is important as none of the recovery scanning programs I've used will even run against it, nor will any programs that fix partitions as they are expecting the drive to be in a different state (some say they won't run because there isn't any blank space, others are expecting it to be unpartitioned).
Even though the backup drive was also encrypted/partition table corrupted, luckily they had rotated their backup drives right before. We restored the server from backup and all was well.
Until we rebooted the workstations...
Now all of the workstations are infected with this as well. The problem, as it always seems, is that there were a few key users who kept some incredibly important files outside of their redirected folders and on their local systems.
The initial variant of this from 6 years ago appears to leave the drive unencrypted, it just messes with the partition table. Before I make any changes to the disk, how should I proceed on recovering these workstations?
All of the workstations are running Windows 7 Pro. Some of the key stations are running SSDs, not sure if this changes the partition recovery process at all.
Edited by quietman7, 28 January 2016 - 09:06 AM.