Today one of our PCs got infected with nasty CryptoLocker trojan crap. The PC was a Windows XP machine with up-to-date NOD32 a/v. As you probably know the virus encrypts your file with an 2048 bit RSA public key and only the bad guy has the private key. So... they ask for 1.16 BTC or 500 EUR as a ransom via TOR.
I glanced through google results I saw some of the resources mentioning that it encrypts the files and then deletes the original ones. So, is it possible to recover those deleted files using some recovery tools like "Recuva"? Maybe some Linux magic? Or have they thought of that too and the data loss is permanent?
Some of the search results say, that they could have left the private key behind in %appdata% folder or that kind of stuff, though I seriously doubt it :)
Please share your experience if you had that happen to you and you managed to recover or if you have any suggestions. Any help is appreciated!
PS. I can't physically access the machine as of right now as it didn't get shipped from branch office yet, so can't really try anything. Just want to prepare for the good or the bad.
