It can be downloaded through malicious or compromised websites, through a payload delivered by other malware or through an attachment to an email.

The latest variants (teslacrypt in particular) may not be picked up by anti-malware and anti-virus software, however please ensure that your virus definitions are up to date as all vendors will be urgently working on a resolution.

Keeping your plugins/software up to date is also important; the most recent attacks have been using vulnerabilities that exist in older versions of Adobe Flash Player but are fixed in the current version for example.

Keep privileged users/users with local administrator rights to a minimum - up to 90% of malware can be prevented if the user does not have local administrator rights. In addition, in unauthorised executables are blocked from running by software restrictions policies, however local administrators and privileged users are exempt from this policy making them vulnerable.

Ensure that your backups are up to date and verified; upon infection restoration of a backup is the only guaranteed method of getting your data back.

The most vulnerable route into a network is through the users so please educate them regarding safe Internet and email usage. These viruses are usually spread through emails. Users should report any suspicious emails and refrain from opening attachments, or clicking links in emails, unless they are certain they are authentic and are from someone they trust, while keeping in mind that the computer of even a trusted person may have been infected by a virus and be sending mail pretending to be them. So, if they are not expecting an attachment or link from someone, it is safer to contact them for assurance before opening or clicking.

Also see SMBV3 vulnerability from March 2020 - The Microsoft SMB v3 vulnerability, CVE-2020-0796, was disclosed and patched in March 2020Preventing SMB traffic from lateral connections and entering or leaving the network (microsoft.com)

These issues are relatively straight forward to deal with - provided that you have backups.

Ransomware works by working through the drives the user has mapped/local to encrypt the files. It then alerts the user (normally via a text file next to the encrypted documents such as "decryptme.txt" or similar) how to pay for the decryption instructions and keys.

The servers themselves are not usually infected - unless someone logged on to the server (console or RDP) and introduced the virus whilst logged on. It is highly likely that the Ransomware is resident on one or more computers on your network.

REPORT

In the United Kingdom, go to the Action Fraud website. Report ASAP

Also log an insurance claim with our Cyber Security insurer - either the RPA/Hiscox policy as of March 2021.

1. Check for the owner of the decryptme.txt (or similar) file via its properties - that's your infected user. You can also search home folders for the decryptme.txt (or similar file) to ensure that only one of your users is infected.
2. Disable the user account to prevent further encryption. The encryption process takes time - if you have large data shares the user has access to, it may be several hours for it to work through all the files.
3. Now track the infected machine down. The created date of the decryptme.txt file gives the date and time of infection, so ask the user which machine they were on if you don't have any method to track this. Disable the machine account if you cannot immediately get to it (via AD Users & Computers). (This will prevent other users logging on to the machine and possibly (variant dependent) kicking off more encryption.)

1. Clean the computer - via a rebuild (one option is to use your AV solution if it is up to date, but a rebuild is far better and our recommended approach).
2. Reset the user profile - check home folders/redirected folders for any temporary Internet files, etc. and delete these.
3. Speak with the user to try and identify the file or email that started the infection. Has this file been stored anywhere where it can be relaunched - or has the email been forwarded on to anyone? Depending on the variant it may have been a file on a USB stick, or an attachment, or even a website visited. Try to determine the initial cause and delete where appropriate. You can scan suspicious files and URLs using https://www.virustotal.com.
4. Do your restore - anything the user had access to will need to be checked (don't forget local MIS server shares - if it's a teacher then the MIS server will need to be checked as it likely has some report and document stores).
5. Office 365 protection and OneDrive can also help restore following a Ransomware infection Ransomware detection and recovering your files - OneDrive (home or personal) (microsoft.com)

Some variants change the files - renaming to be MP3 files for example. In this case you can delete all the MP3 files modified from the infection date and then do your restore, ignoring any files that exist already (far quicker than restoring entire large volumes).