Now my father sent the PC to a tecncian so I can't work on it, but now I have the backup drive, and I can access his mail to download(and not execute) the virus. I'll check the virus name on virustotal.If the files really are encrypted... They are probably lost unless your dad pays the ransom. They aren't kidding around with those ransomwares, if the files were easy to recover then people wouldn't pay the ransom. If you can find the name of the ransomware, there are probably instructions for removal on Google, those instructions tend to come with a warning that your files will be lost if you go through with the removal.
If the encryption key is stored on the PC and not on some remote server, there's a chance you could recover the files, but you'd have to read about the specific ransomware to know. Hopefully the files are recoverable.Now my father sent the PC to a tecncian so I can't work on it, but now I have the backup drive, and I can access his mail to download(and not execute) the virus. I'll check the virus name on virustotal.
Now i'm trying with recuva, and I checked on the mail but he deleted the spam message. So I need to wait until the tecnician gives the computer back to my father and I can check the executable that hopefully he didn't deleted. DAMNIf the encryption key is stored on the PC and not on some remote server, there's a chance you could recover the files, but you'd have to read about the specific ransomware to know. Hopefully the files are recoverable.
did you check the deleted folder in the inbox?Now i'm trying with recuva, and I checked on the mail but he deleted the spam message. So I need to wait until the tecnician gives the computer back to my father and I can check the executable that hopefully he didn't deleted. DAMN
I don't think he'll pay the ransom, but the thing that i can't stand is that it encrypted even the file on the backup drive, it's unfairIf you are asking these sorts of questions you are really not ready to go toe to toe with these sorts of things, at least beyond wiping the computer and starting again.
Some of the early stuff was implemented poorly and weaknesses in the crypto and implementations allowed you to pull things back. Today not so much; there is no preloaded key for any of the reports I have seen and it is all remote generated keys with proper crypto (no know plaintext options or stuff like that).
Unless you are going to pay the ransom (I would not encourage it, however they are your/your dad's files so not my decision at all) then while memory is fresh start piecing together files your dad might have sent via email, have on USB drives or otherwise have uploaded or stored in another location, even if you have to OCR a printout or update from an older version. Hopefully it did not encrypt any directory/file names so you have those as well (and hopefully your dad used a proper file naming scheme).