Problem
A few weeks back we got hit with a Dharma Ransomware variant called "Money". We made the incorrect assumption that this variant began right at the time the user opened the malicious attachment or link.
Saturday we found out that it was actually time-delayed like a lot of them are these days, so although we have decent backup policies and backup retention, we don't have any way to confidently say that we aren't just restoring to snapshots that have the dormant virus living on them.
Since our first time restoring snapshots of all the servers ended with a repeat of the same virus just 10 days later, we're not sure how far back we need to go in order to be sure we're out of the woods.
Attempts at Detection
We had malwarebytes premium running on the server we believe started this mess and it didn't detect anything. After the first attack we ran numerous scans with Malwarebytes Premium and enabled Windows Defender with Controlled Folder on the restored snapshot that we thought was safe. Since we found nothing, we incorrectly assumed we were in the clear.
Other Info
The Remote Desktop VM we think started the virus has been deleted instead of restored to a snapshot this time, but we have many other servers we can't do that with.
Does anyone have any experience with this virus or have some ideas of how we can detect the malicious EXE laying dormant? That or any good anti-ransomware software you have experience with?
We are all reverted back, but we really need some guidance on prevention and detection of this virus and other ransomware just like it.
