.david ransomware infection on Server2012r2 with business pro running

Hello Everyone;

I am now four days into cleaning up after a .david infection on a Windows Server 2012r2 installation.

All the files on the server were encrypted. The encrypted files have been deleted and the data restored.

The users in the office have access to the server again. The encryption took place March 10, 2018.

The server had a default installation of AVAST Business Pro Antivirus running.

There was no management console installed.

I want to make sure that there will not be a repeat this weekend.

I have performed many scans with MBAM and AVAST Business Pro since bringing the system back on-line.

I want to be sure that there are no remnants of the malware left on the server.

My plans;

Run AVAST clean and remove current AVAST installation.
The AVAST management console is already installed on the server.
Will deploy the AVAST from the console.
This is a VM so will take a snapshot later today.

What are the best practices for an installation on Server 2012r2 (domain controller)?
What are the risks and details relating to the .david ransomware?
Does .david function as plain ransomware or is there more to this ransomware (data collection or remote access/control by malware author)?

Please give me more details about the .david ransomware and forward this message to the other message boards if needed to deal with server installation.

thanks in advance …

Dave.

Ransomware info:

https://id-ransomware.malwarehunterteam.com/

https://www.nomoreransom.org/

TrendMicro has a blog with lots of info
https://blog.trendmicro.com/trendlabs-security-intelligence/category/ransomware/