Since encryption was interrupted full disk encryption might not have taken place. But you are right MFT's might have been encrypted.Since R-studio couldn't locate MFT's , I have not run DMDE fully .Attached log is partial only (4%)
As per FBI ---
The ransomware program consists of the open source, off-the-shelf, disk encryption software
DiskCryptor wrapped in a program which installs and starts disk encryption in the background using
a key of the attacker’s choosing. The attacker passes the encryption key via the command-line
parameter: [Ransomware Filename].exe <password>. The ransomware extracts a set of
files and installs an encryption service. The ransomware program restarts the system about two
minutes after installation of DiskCryptor to complete driver installation. The encryption key and the
shutdown time variable are saved to the configuration file (myConf.txt) and is readable until the
second restart about two hours later which concludes the encryption and displays the ransom note.
If any of the DiskCryptor files are detected, attempts should be made to determine if the myConf.txt
is still accessible. If so, then the password can be recovered without paying the ransom. This
opportunity is limited to the point in which the system reboots for the second time
Thanks for your help