Hello all, this is my first post on your forum,
This is a new one for me. The receptionist at the company I work for appears to fallen victim to a Locky attack. It encrypted her DropBox account completely, (including somehow the previous versions, if you try to restore in the DropBox web gui, it just restores the same .locky file but with the date of the restore).
Now here's where it gets weird, it encrypted *some* of the files on the computer itself. All the files affected have time stamp of between 10:30am and 10:32am. For example, only 2 files on the desktop were encrypted, and just over half of the images in the "my pictures" folder were encrypted. Some of the files in a network mapped drive were encrypted, but relatively few.
She didn't discover the issue until yesterday (13 days later), so the program had at least 13 days to run, but it didn't complete. I pulled the computer from the network and ran the latest version of MalwareBytes and it didn't detect a *single* bit of malware, let alone Locky.
I pulled up the security camera footage of the reception area for that day and watched around the time that the local files were encrypted, and didn't see any unusual activity. The footage isn't clear enough to tell exactly what she was doing, but it looked like mostly web browsing.
So the question is, how could select local files on a computer, the entire DropBox, and select files on a share drive be encrypted, but no sign of the virus on the computer itself? Her computer is the only computer on the Dropbox account, and the laptop is not sharing any local folders over the network.
Computer is a Microsoft Surface Book running Windows 10 x64 Pro.
I'm stumped, any ideas are welcome.