The obvious of paying the “ransom” only encourages them and I doubt that the “key” will remove the malware permanently, and that they will keep coming to the well for more $
Totally agree. Give a wolf a taste and he’ll be back for more - Kerim Bey.
1) Take the machine off the intranet IMMEDIATELY.
2) Pay the money, I have never heard of someone not getting a key.
3) Unlock the data you want. Take the data off onto a USB, and on a computer you do not care about, insert the USB and run about 100,000 virus and rootkit scans.
4) Factory re-image the infected computer.
5) Factory-reset all the peripherals around it (I was once infected with a rootkit that flashed the firmware in a router, to reinfect my computer even after I factory-reimaged).
6) From that point on, all backups go on to one of several devices, and each device is taken offline after the backup.