In the last two weeks i had two cases were customers data was deleted without them authorizing anything. They were working, and suddenly the data was missing. In both cases I found a hidden folder in the user profile named "Window's updating....please wait" containing ConnectWiseControl.ClientSetup.msi, mailpv.cfg, mailpv.exe, monitoring_agent.exe, and Tender.msi. The files were mostly documents and accounting system data files. In one case files were deleted from a nas drive as well.
No data could be retrieved from previous versions , or recycle bin. Normal data recovery software also only yielded limited results.
In both cases the client confirmed that a windows update screen popped up while they were working, and forced the pc to reboot.
Has any one else come across this , and any ideas to recover data and prevent future attacks ?