LOL, simply by blocking/monitoring vssadmin.exe, cmd.exe and powershell.exe this attack could have been stopped.