I was wondering, once the ransomware process has started, how does it make sure the files are unrecoverable (encryption weaknesses not withstanding):
- Overwriting files instead of deleting them?
- Deleting the original unencrypted files but removing shadow copies?
