Managed Services Infrastructure Engineer (MCPS, MCSA)
Ransom-ware spreads like crazy because unlike a virus it carries the promise of getting the infected data back and dangles it like a carrot. Even though there is no good way to recover data reliably from Crypto and other ransom-ware; organizations will try. But if the data wasn’t protected and backed up to begin with; even recovered, how can you ever trust it?
The reality is with most Ransom-ware the only offense is going to be a good defense. So any good solution is going to involve restoring data and not recovering it. Antivirus programs have already failed at the point that the ransom-ware is spreading. While cracking the encryption might open a file full of garbage or other infected content. Paying the fee carries the same risks, plus the party ransoming the software may not even do anything but take the money and run. There is just no way to know if any of the data once compromised will be left unedited and clean from malware.
Fortunately, there are a ridiculous number of resources available to backup and restore data real time. These require preemptive action, but they are not necessarily expensive, complicated, or time consuming; and they allow quicker recovery usually than a full AV scan. These are only a few, but they work well.
Restore from a Recovery Restore Point
Windows 10 can be setup to record and restore a system to regularly created restore points. This integrates closely with the system restore tools in Windows 10 and can therefore be used more easily to recover the locked files once the virus is removed.
Cloud drive services
Google and Microsoft cloud drive services not only virus scan the content in the store possibly preventing infection to begin with, but also support versioning so clean versions of the documents can be recovered online.
The old windows backup utilities are still there and can be scripted in task manager to run daily or hourly. While these are harder to use for full system recoveries, they work well for the recovery of documents that are grabbed and encrypted by ransom-ware.
Windows Refresh and document archives
New versions of Windows allow the Windows install to be reset to the default and rejoined to an enterprise domain. Physical backups can then rebuild the missing data and programs can be reinstalled without having to reapply all the updates and find drivers.
If there is no policy in place at the organization level, users themselves can use most of the methods above freely as part of the OS utilities to preserve their data and ensure it stays safe. But knowing that the best fix is always going to be a wipe and reload of the computer, generally all good IT departments should already have a real-time backup and recovery plan in place before the infection occurs.