D0nut encrypt me, I have a wife and no backups 

MITRE Techniques

• [T1059.001] PowerShell – PowerShell was utilized to execute malicious commands. ‘PowerShell was utilized to execute malicious commands.’
• [T1569.002] System Services: Service Execution – Cobalt Strike remotely created temporary services to execute its payload. ‘A service was installed in the system.’
• [T1569.002] System Services: Service Execution – PsExec creates a service to perform its execution. ‘Service Type: user mode service’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – SystemBC created a run key entry to establish persistence. ‘powershell.exe -windowstyle hidden -Command …’
• [T1055.002] Process Injection: Portable Executable Injection – def.exe achieved privilege escalation through process injection. ‘process injection…’
• [T1562.001] Impair Defenses: Disable or Modify Tools – The threat actor modified a legitimate GPO to disable Windows Defender functionality. ‘registry configurations to a pre-existing GPO that would disable detection and prevention functionality of Windows Defender.’
• [T1562.001] Impair Defenses: Disable or Modify Tools – def.exe and d.dll were deployed to terminate EDR and AV services. ‘def.exe and d.dll were deployed to terminate EDR and AV services.’
• [T1021.002] SMB/Admin Windows Shares – Cobalt Strike targeted SMB shares for lateral movement. ‘SMB shares for lateral movement’
• [T1021.002] SMB/Admin Windows Shares – PsExec uses SMB shares to execute processes on remote hosts. ‘PsExec uses SMB shares to execute processes on remote hosts’
• [T1021.001] Remote Desktop Protocol – RDP was used to establish sessions to other hosts on the network. ‘Remote Desktop Protocol (RDP) session was established’
• [T1090.002] Proxy: External Proxy – SystemBC communicates with its C2 server via proxies. ‘via proxies’
• [T1048.002] Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – The threat actor exfiltrated data to an SFTP server. ‘exfiltrated data to an SFTP server’
• [T1490] Inhibit System Recovery – Volume shadow copies for a file server were deleted prior to encryption from the ransomware. ‘Volume shadow copies … were purged’
• [T1486] Data Encrypted for Impact – Ransomware was deployed to the estate and impacted both servers and user workstations. ‘Ransomware was deployed to workstations and servers’
• [T1486] Data Encrypted for Impact – Virtual machines hosted on an ESXi server were encrypted at the hypervisor level. ‘ESXi server was impacted, resulting in hosted virtual machines suffering encryption at the hypervisor level.’