We were hit by Ransomware last week. I thought we had isolated the problem to the PC and removed quickly from network. I had several file directories I had to restore from tape. I thought all was ok. Everything domain-wide seems to be working ok. I started doing a little more research and found that the local c:\windws\sysvol\ directories were all hit with the ransom-file replacement. All have the timestamps of the rogue Trojan.
What do I do? I probably have a system state backed up from several DCs. I have 2 Win2k12R2 DC servers and they don't appear to have the sysvol folder. Starting to panic.