it took them from Tuesday to Saturday
they discovered it late-ish on Friday, were 'restoring' (whatever that really means) over the weekend - or so they were declaring, and all the systems were 'taken down as a precaution' from Monday morning. It's not hard to see the usual pattern though.
p.s. it appears the latest 'wave' of attacks targets poorly (?) secured systems and institutions that hoard, due to their nature of business, large-amount of (time) critical data.
As to the advice: patch, secure, educate, make sure those offline backups are both taken and actually work - how can you verify backups are not infected? In the chaotic rush and pressure from all sides (none lesser than the management, desperate to show they're in control) in order to solve the original infection they initiate their well-practiced backup procedures, thanks God we thought of that! And once completed, 2nd 'bomb' goes of.
p.s. some academies had to resolve to REAL books for teaching. Oh, the abomination! ;)