Just to quick post that something similar happened to me at a previous company... ill share some facts what happened in that scenario.
Had a call one night a director couldn't get email. Then had call from vendor who supports 24/7 infrastructure saying he can see SQL servers being encrypted.
By the time I logged in via VPN 43 servers were hit and 110 use laptops / desktops.
SAMAS was the cause... Now lets look at how it happened..
RRAS server was still being used and was bruteforced as it was a weak password which allowed hackers in and that hacked AD to make an account called administrators. Hackers were in the system for approx. 6 days
before to attack took place hence if you call your server VEEAM or VBK etc its easy to locate it - remember its easy for other to identify too. The RRAS server Ip was published on showdan.io and 4 days after it appeared on there as having an RRAS server it was hit.
I had offsite tape backups and recalled them from Iron Mountain and started restore process. 10TB of data wasn't too bad. But the board of the company took the decision it was easier to pay the £15,000 in bitcoins than wait for all laptops to recovered by IT so it was paid and the encryption keys obtained, yes not ideal but in a large PLC it was small change.
There are many ways to hide the server and use other techniques but security starts with every admin
. Files don't just disappear with SAMAS they get deleted and then encryption to stop restores being possible ..
We actually caught the SAMAS strain and passed to Symantec and FBI as it wasn't known the strain back in October last year.
We also re-wrote the DEC2.EXE decrypt exe from 3 passes at decoding - it only needed 1 pass speeding the de-crypt process up ( not that the other 2 passes did anything except waste time )
Indeed SSL VPN was installed, yes user account and the lazy IT folks who used the same passwords for both user and their domain admins got educated.
People need to ( if you don't already ) pay for a pen test and see the amount of vulnerabilities it comes back with.. in this case it was over 6,000 redial actions from VMware exploits, windows update exploit, java exploits even Symantec AV Client exploits... IIS exploits SSL exploits even if you think your infrastructure is upto date its worth calling a pen tester in for a day or two... might be the best thing you do this year