I'm new here and this is my first post, so bare with me, I will provide as much info as I can (and know) following your guidelines.
My operating system is windows 10 pro, we re-installed it maybe 2-3 months ago, unfortunately my boyfriend didn't install an antivirus program that we usually use (for the likes of me i don't know why he was counting on the one that the windows has....but anyway..)
Short note: my boyfriend is a photographer, and we have a really large amount of files on our HDDs - the encryption managed to block more than 160 000 files (at least 1,5 TB of data), most of the work was handed over to clients, for other we have backup, BUT, we don't have backup for his latest event, and also around 300-400 photos from other 2 events - for this ones we will try to retrieve the data from the SD's cards...and hope for the best
Wednesday (21.06) i gave a friend control of my computer via team viewer to help me install some presets in Lightroom, when i opened Lightroom, there was a message on the photos : there was an error working with the photo....long story short we tried to check the jpg and reimpirt them and discovered that none of them were working (after panicking because all the files were being encrypted - raw,nef,jpg,pdf,etc ), when running a scan on the computer the first thing that poped up was this executable: wxdsys.exe found in C/User/AppData/Roaming, also while scanning with kaspersky and spy hunter we found:
with kaspersky: trojan win32/dynamer!ac first entering our system on 07.06, trojan:win32/miuref/rfn entering 09/10/11/12/13/14.06 and trojan win32/dynamer!rfn entering 22.06
with spy hunter: Malware generic, Trojan.kovter, unknown rootkit, searcs.newtabvsearch.com
We stopped the encryption so we still have files that work, for the rest (depending on the extension) we get a different message that says the file can't be read - all the files keep the same extension and size that it had before the encryption, nothing obvious seems to be changed on them.
We pulled out all of the HDDs we have, fortunately not everything was encrypted, but the most important HDD is encrypted
There was no request for payment nor any message displayed on the screen; the only thing I found by googleing what i perceive as being the root cause (wxdsys.exe) is this link: http://www.forospyware.com/t531285.html (it is most in Spanish), as i was in such distress and panic over the photos of the events i haven't yet finished editing, i sent an e-mail to the emails addresses provided on the link above, here are the emails:
As it was in my best interest to resolve the issue i tried to be as polite as i could....because i still need to recover files, if my files are lost, in the end i don't care, if you are stupid like i was you have to pay....but i really need to recover the photos we have to hand over....
We tried running files via https://id-ransomware.malwarehunterteam.com/, no result, just this:
Please reference this case SHA1: ffd80087266afc7f500601cf69dc6b83c795595d - for an excel
Please reference this case SHA1: 8a0bafbe3405eaa5c74d2ca3fe7cf1322352aee3 - for a jpg
While running Kaspersky, a window blocking the following address was poping up: https://uromatalieslave.space/index.php (which can be traced to Netherlands)
I still have the Kovter on my computer, i will follow the steps provided here to remove it.
I need to mention that while running the scans and everything, i saw somewhere between the malware being removed trojan pClock (something like that), after 3 days of reading about cryptolocker and everything malware, i know that if i do have pClock i stand little to no chance of recovering the files as there is no decrypter for now.
We will keep all the encrypted files, as we have 2 HDD's running in RAID, both presumed to be encrypted, we will check them both this weekend.
ALSO, we talked to some of our friends that could help on the issue, and one of them managed to open an encryped jpg with a program, but the photo was not in the original size and data, it has been reduced to a really tiny photo - at this point I cant say with what he managed to open the file, he runs on macOS, I will ask him and provide the info if it's helpful.
I tried my best to provide as much info as i could/know, many of the steps above were taken by my boyfriend. If you have any advice, that would help me decrypt the files or at least find what is encrypting them, it's much appreciated, if you need any more info please let me know and i will try to provided.
Thank you in advance!
Please reference this case SHA1: 8a0bafbe3405eaa5c74d2ca3fe7cf1322352aee3