One of my clients woke up this morning to a RW attack.
They mainly use a program on the network, so naturally that all became corrupt.
I currently use sync to another server and then MS Backup to do a daily backup on the target machine, I use the "archive" on Sync if anything changes.
I restored their program, but there was still a section of files that wasn't being backed up!
I think i found the source exe. I assume this as it was the only user that had their dekstop encrypted. TS Server.
I have a file from before and after. I also found the following;
http://i.imgur.com/PKnsNjh.png - This was running under a user account in that area.
I also found a folder under /users/%%/appdata/roaming/microsoft/crypto/rsa/S-1-5-21-4247503443-1365201607-1068338911-2117/03291a63ac38553c9c9538693b092f45_707ea7b8-f67f-4722-adeb-ddfa91dcab87
I have read your other thread where BTC is not cracked yet, but I thought I would still post as there was a couple of extra bits of information.