Last night a client got hit by locky with aesir file extension. He managed to shut down the pc before the program managed to encrypt everything,
I am making an image of the disks as we speak so i can work on it without worrying about breaking things
I have been looking for information on what to do since it never completed the encryption run.
I have read this thread http://www.bleepingcomputer.com/forums/t/605607/locky-ransomware-zepto-support-and-help-topic-help-instructionshtml
and i have searched for more detailed information but i havent been able to find anything about what to do
I presume the encryption process will run automatically again when i start the computer from the infected drive
What can i do to stop that from happening?
Also some information about the order of how the program operates would be nice
Reason i ask is because id like to know when it removes the shadow copies. At the beginning? end of process?
Im hoping for some help regarding this
Thanks for reading!