InfoWorld had an interesting article on Ransomware Response that I had to read twice before I realized that they weren't concentrating on my lowly small topology LAN first line of defense opting for a lot of enterprise esoterics which do not include those practicalities.
My infrastructure can't be hijacked but I do have a few servers which might fall victim to such an attack were they in the direct line of fire.
It seems that my approach is a "scorched earth" policy of low level format followed by an immediate restore of the last backup. That backup should be less than 24 hours old if my regimen is maintained via that scripting in place and the "bare metal" backups ultimately restored should ensure that virtually all of what the ransomware attempted to encrypt from me is returned safe and sound.
To test the hypothesis I chose a workstation which has been backed up consistently for the past 6 months and low level formatted it. Upon restore and reboot I could not tell the difference prior to the destructive testing and the entire process was less than 10 minutes.
In an enterprise environment, of course there will be a subset of the population qualified to engage such antics in real time but by and large based on my calculations I could have my entire network restored in two shakes without paying any ransom whatsoever.
It rather makes me think that we deliberate possible actions too much in DR mode. Disaster recovery is not for the squeamish. It requires more in the way of action and less academics and supposition. Make sure you have a good backup and restore plan in effect at all times for those machines you cannot afford to loose. Don't let the bastards win.