STOP THE DEPLOYMENT OF ENCRYPTION
EXPORT GPO
The first action to take is to save the GPO for future investigation.
Go to Group Policy Object
Select the GPO
Right Clic > Back up
DELETE GPO
Go to Group Policy Object
Select the GPO
Right clic > Delete
CLEAN THE SYSVOL FOLDER
In some cases, the GPO executes a script in \domain\sysvol\domain\scripts\ .
SAVE THE SCRIPT FOLDER
Go to the folder \domain\sysvol\domain\scripts\ and save the scrip in a encrypted archive.
To save time, the default password will be: infected.
Why save in a password protected archive? To keep the file without a scanner being able to delete it.
DELETE THE FILE
Once the file is saved in a protected archive, delete the original file.
Last updated