So - a new customer calls with generic-sounding problems - "the icons on my screen have changed". I get there and ask a few questions, start the computer (HP laptop with a "Windows 7" sticker), and up comes Win 10. I start to suspect the Win 10 upgrade - only a few days old, according to the customer - has not gone smoothly.
JPG, PDF, XLSX files on the desktop all have the Adobe reader icon, so I suspected that it's a file association problem, except when I go to the items' properties, they all have ".ENCRYPTED" as an extra file extension. I quickly asked the customer if the machine had file encryption before the Win 10 upgrade, he said "No", AND THEN HE TELLS ME "it asked for some money when I tried to open one of my files", so I quickly shut the machine down.
A few more questions later and it becomes apparent that there's some sort of infection there - he said he opened an email purportedly from Australia Post, printed it out, took it to the post office, and they told him it was probably a virus. That was when he called me.
So now I have the powered-off laptop, and I'm in a position to extract the hard drive and mount it in an external cradle on my machine to do some investigating.
As I don't have the information requested in the guide about how to post a new ransomware topic, could I please have some advice on how to proceed.
1. there are no backups
2. customer adamantly refuses to pay ransom, also can't remember what the ransom demand looked like.
3. only one folder of files needs to be rescued, everything else is optional
4. customer is otherwise happy to format and re-install windows