If the ransomware attempted to modify a “honeypot” file or was detected by File Screening, the activities of the ransomware would stop at that point. It will no longer be able to affect any additional files on your file server. If you had configured email notifications, you would have been notified of this.
The first thing you will want to do is remove the infected computer from your network so you can take steps to clean it of its infection before allowing it to re-join the network.
On your file server, you can use the Veriato RansomSafe™ console to quickly search for files that had recently been modified or deleted by the user who ran the ransomware. You can then take the files found through the search and restore any of them you’d like to. Note that after you restore them, the encrypted versions of the files may still exist alongside the restored files. You’ll want to remove the encrypted versions of the files using Windows Explorer at your convenience.
As soon as you are sure that the user is no longer infected and a threat to your file server, you may use the Veriato RansomSafe™ console to unblock that user and allow them to continue to manage files on your server.