Just got rapid ransomware today. One smart thing our vendor did was that probably they

Things to do 1

use volume id instead of drive letter

to do backup therefore there was no drive letter and it was not infected. Then I bought another hdd and copied the files to the hdd and tried to restore to the server folder

Things to do 2

Make additional backups of ur original data and don’t experiment with your original backup data incase it gets infected

So after looking a while we see that it was only the user folder was infected. We also changed the user password who was the owner of the recovery file of the ransomware. We deleted the files on the server that was infected and restore the backup files to the server. After calculating file size. The copying failed. We were not sure what happened. After multiple times it still failed. The Kaspersky antivirus was detecting nothing. We also installed malware anti-bytes and it was detecting nothing. After that we take the hdd and explored. The recovery file was there. It seems to have infected a the system already.

Things to do 3

Probably the laziest thing everyone says.

Do a full restore instead of cleaning up because u can never be sure a backroom has been installed or something.

Also basically we don’t really have a choice in this case