That's all well and good until you consider that you may have 1,000 windows computers connected to your network that all have access to the network. That means you have to take every one of those 1,000 computers off line and reload the last image that may or may not be corrupted because you would need to know when the system was attacked. The virus may have been dormant for 6 months. You have to know that before you reinstall any image or you are simply pissing in the wind. That means you can't get the entire system up in a couple of hours. You would need 100 geeks each getting 10 computers back up to be lucky to get everyone back up in a day. Each of those installs would require a complete scan to confirm you didn't simply reload the virus. And then you would have to test and make sure everything is working because software and files would likely be missing from the image you restored.
Startup and ini files can reference files anywhere. It is highly likely that the network contains computers upgraded from or even still running XP which means you can't rely on Windows10 security features.
But you still haven't got any of your servers up and running yet. That would be the backbone of the network and you have to make sure there are no infections. Then you likely need to replace every password because you have to assume they are all compromised. That means that everyone that needs to log in to the servers needs new passwords or access keys. Every single person will not be able to log in through your domain server until you get them new passwords. Any remote maintenance access to the servers such as RDP or SSH or RSAT has to be reconfigured. But then you also don't know if the intrusion allowed someone to access routers and change the settings there. So all the routers should be wiped and reset. It's starting to be a little more than just putting an image on a single computer if you really want to do this correctly and be safe.
A backup does you no good if your backup includes the virus. Restoring the virus to the network would kind of defeat the purpose, don't you think? If you have 1,000 backups for each week, how do you determine which backup is safe to restore and which one would simply restore the virus to your network? How quickly can you do a scan of the backup of a 1G drive? Then your backups have to be ones where they were actually physically removed from the network or the backups may have been encrypted as well.This is about 1/3 of the things you can do:
https://blog.emsisoft.com/en/31002/basics-manual-malware-identification-removal/
I'm a lil more advanced..take regular backups of your stuff.
If a fuel company that supplies the eastern seaboard doesn't take weekly backups of their software to do so, and leaves themselves open to cyber attacks...
That's folly.
There's a lot of businesses and infrastructure like that in America. China hacked Miami traffic grid before.
They need to get more secure and take more backups.
The best Chinese hackers couldn't get around a dedicated old-ass linux hardware firewall. Nope.
The majority of viruses don't need to get around a firewall. They only need to have one person out of 900 on your network mistakenly run a program. It's probably attached to an email that one of the 900 employees received and you just loaded all their old emails back on their computer. I hope they don't open it again.
Then you have to remind your employees that they can't reuse an old login password when they reset their passwords.
