Two local drives on which there were a lot of Word documents. The virus has encrypted everything. I scan a lot of programs to recover deleted files and the result is the same. On one disc, all files and folders are restored. The other is empty, as if these files were not there at all, nor a trace. The virus on another disk couldn’t get rid of them anyway. For example, encrypt and save in the same file. As far as I know, if something is added to the file, it is saved on the hard disk in a new place. I have one disk and it is magnetic, not ssd. The hard work itself was at 10 percent and recovery attempts were made right away. I do not understand how you can be so that from a couple of hundred files there is not a trace left?

  • one
    The virus can easily be bugs, why not. - D-side
  • The same virus on many computers. Some local disks are restored, some are not. What he can do is that the file will not find a program for recovery? - Turalllb
  • The "program for recovery" as a whole is unreliable because it searches for something in the space that is listed as free for the file system. The file system can use this space as it pleases. If the system actively creates and deletes files, which is typical for a cryptographic suppressor during operation, you can not count on recovery from an unused space: it will be reused for other files. And the cryptographer could theoretically use secure erase for files: write garbage on top of their contents several times before deleting. Everything is bad. - D-side
  • There is only one virus. On both local drives. On one, he restored everything, their 300 documents are all in place. Secondly, the virus does not decide where in the hard disk the junk file or the new file is written. A hard 90 percent was empty. Well, he could not rewrite other files from above and delete everything to Zero. At least one file even with hieroglyphs would be preserved. Exactly the same situation on the server computer, There is also one local disk as if there were no files. - Turalllb
  • Hmm .. Removing shadow copies? - Qwertiy

1 answer 1

They wrote on Habré that he was actively writing garbage to the disk - just to reduce the chances of recovering deleted files. Apparently, he succeeded.

  • Perhaps, but in this case I should see this garbage. And I do not see him. Or is it a stupid set of bytes without any permissions, which the recovery programs do not associate with anything. - Turalllb