So basically if the guy at some point moved - duplicated - deleted to trashcan one copy of wallet.dat - emptied the trashcan, Recuva would work to recover it even if the HD is encrypted, since the ransomware would not encrypt that deleted file.
Never heared from such an idea
I think this depends on how the ransomware is coded. It might be the case that the ransomware is going to encrypt the whole HD (not just all files, but all sectors of the hard drive).
In this case this wouldn't work, unfortunately.
Additionally it also depends on whether the deleted files already got overwritten.
Assuming HDD (because recovery is extremely difficulty on SSD's):
If you move your file into the trashcan and empty it, the file is not really 'deleted'. The space (where the file was) is being released.
Depending on how much space your HD has and how much you are writing onto your HD, the timeframe in which the file is still available varys heavily.
For example: If you 'fill' your harddrive completely, your file is no longer available on your HD, for sure.
Wow, that's a good reason to create a copy of your wallet.dat, delete it to trashcan and empty it, just in case you ever get ransomware. Interesting way to back up a wallet.dat
At least that could work in such a case
But i'd still recommend a 'standard' backup (e.g. move to USB's) instead of deleting a copy in the hope of being able to recover it someday