For latest episode with wanacry the last step it took after encrypting is to delete files

[G+_Peter Hanse]

For latest episode with wanacry the last step it took after encrypting is to delete files. Does any one know if they secure delete those files. If not then file is still on drive just record of it is missing and you should be able to use data recovery tool.

[G+_Shooter_FPV (Shooter_FP]

Being I haven't really researched WannaCry that much yet, and haven't seen 312 yet... if it encrypts the files, then deletes them, wouldn't you just be recovering encrypted files?

[G+_Ben Reese]

Ken Jancef the ransomware is creating an encrypted copy then deleting the original.

 

Peter Hanse?, I think that would probably work as long as your drive isn't so full it starts overwriting those sectors again.

 

And I haven't tried recovering files from an SSD. Is that as effective as recovering from an HDD?

[G+_Shooter_FPV (Shooter_FP]

Ben Reese Ahh.. .ok. Makes sense then. I wonder if the ransomware is smart enough to do something like a DBAN delete to the files. If not, then yea, I'd think you could recover them that way. Would love to see if that works... well... not with my data... ;)

[G+_Peter Hanse]

Mabe Fr. Robert Ballecer, SJ can check with drives he use on show. I would think if this is possible it would be good way to recover data. But if makers of virus had any sense they would do secure delete by overwriting old file not just del from master record.

[G+_David Keeler]

But... if you tried to recover the files, wouldn't they just get re-encrypted as soon as you accessed them? Remember any drive you use will be tainted with the virus...

[G+_Peter Hanse]

Not if you use OSX or Linux to extract the files as the original virus is only susceptible on Windows machines. Don't boot from infected drive.

[G+_Ben Reese]

As far as I could tell, the encryption only happens while the executable is running. Kill the exe and you stop the encryption process. From the show, it also looked like it won't delete the originals for a few seconds after the .wanacry copy is made. Perhaps someone could create a folder-watch script that shuts down the system as soon as the file is found?