So, a small business I work for was hit with a variant of FenixLocker. RDP was bruteforced and the attacker copied a payload "svchost.exe" to a folder, executed it and left. It found our fileshares and went to town. As soon as we realized the culprit, we shut down the server in question and are in the process of rebuilding it. RDP has been disabled and we're working on scanning the network. Don't really need help there, more interested in the encrypted files at this point.
So, here's the thing: we don't want to pay the ransom, so I've been doing some research. It appears that this variant