Fortunately, we did not have to do any of that. We simply restored the original files from backup. We also used a downloadable decrypter made publicly available by a well-known antivirus company to unlock the few files that were more recent than the last backup. That whole process took about two hours.
How did this happen? After discussion with the affected employee, I learned that he was just looking at the day's news on a major news agency's website, and had not done anything to trigger the ransomware infection, just as has happened in the past. He received neither a notification nor a request for confirmation of the malware's installation. In fact, the only people who knew about the infection were on my team. Without our network monitoring, there would have been zero knowledge of the ransomware until somebody discovered the encrypted files.
What concerns me most about this incident is the speed at which this malware infection deployed itself and did its damage. My team responded as fast as humanly possible, yet the ransomware got in and out of our network storage before they could stop it. This tells me that none of us can expect to be able to stop, or even contain, the damage caused by malicious code while it is active. And knowing that malicious code comes from well-known websites and enters my network without any user intervention, I now realize I can't prevent all malware infections. I just have to be ready for the next one -- and be prepared to do damage control.
Sign up for CIO Asia eNewsletters.