Re: Live and learn, the hard way
Well lets look at a quick cost benefit analysis.
Assume you are a small company with an in house development team of 5 permenant developer, you are in the middle of a big project so you have an additional 5 contract developers too. Due to the nature of your business your developers work on virtual machines hosted on your network (The virtual disks, like everything else are hosted on a SAN), they have laptops but they are basically used as thin clients 90% of the time.
Not too unusual, actually pretty much describes where I am working now.
So you discover the infection three days in, your SAN has been encrypted for the last 72 hours and as a result the 3 backup sets you have for those days are also encrypted, your source control and all of the developer VMs are unavailable.
You have three options, the first is to use a free tool/vunerability in the malware to decrypt - assume this is not possible.
Option 2. Pay the $28k/£23k
option 3. Restore the developer VMs to a good state and loose three days work - have the dev team re-do it.
In your scenario you have ruled out option 2 so we are left with option 3. Re-work.
So we have 5 Permie developers (Lets assume on £45k a year average so around £170 a day each * number of staff * number of days for re-work = £2550)
You also have 5 contractors at £500 a day = £7500 (+ VAT realistically but lets ignore that)
So your total cost JUST for staffing the re-work is £10k (Not counting the down time you have to pay the devs while they wait for the restore), Factor in the cost of recovering the three day old backups and in all likelihood the overtime to catch up with where you were and you're approaching a point where you say, fuck it its close enough to be in our interests to lose as little time as possible, option 1 costs £23k and we can be back up and running in 24 hours option 3 costs £10k in wages for the dev team alone and we will be 3-4 days behind with a potential overtime bill of £10k to get back on track... In that situation I'd take the extra few k hit to stay on track.
The other scenario is that your production database and its backups are affected... in that situation your options are pay or loose 3 days worth of data with no way to recover...
You have to remember that once you're infected its too late, it IS going to cost you money whether that is spent restoring backups, paying wages for re-work etc or paying some scum bag to decrypt the data.. there is a tipping point where one option (even the unpalatable one) becomes more desirable from the perspective of continuation of normal business activities.
As with normal backups, I suspect that this will be a lesson learned, same as when I dropped my NAS down the stairs... loosing a few TB of personal data taught me the value of backups... I suspect the budget allocated to the implementation and testing of the backup solution here might be increased...