I thought I'd share this little story with the teams out there in Corporate IT land. May I hope that you avoid this issue entirely and that you catch it quicker than we could. 05-08-14 - 5:48pm - User reported to the IT Support desk that they are unable to access files within a folder under the shared drive. User quoted by saying "the folders and files all seem to look different". Despite this, it was treated as a general permissions issue and forwarded to the appropriate team. During this time, the user who accidentally "activated" the ransomware left her machine on overnight. Worse still, our DAT update for McAfee was at the latest version, however the signature of the file had changed slightly and was not detected. 06-08-14 - 6:38am - After hours on-call support received a call about a large amount of files and folders being inaccessible. Not a lot of detail. 06-08-14 - 8:05am - Located the affected folders and located the affected user by determining the username that created the affected files. 06-08-14 - 8:15am - Confirmed discovery when the user who opened the malware also had this html page on the network drive: 06-08-14 - 9:30am - Several meetings later, the business stakeholders are notified and the 06-08-14 - 4:00pm - most of the file shares have now been restored. One of the larger folders will need to continue late into the night. The machine was immediately removed from the network. We estimate that in the evening, approx. 9GB of documents and files were encrypted. By morning, we were facing a huge epidemic with about 90-100GB of data being completely encrypted. By the time we had commenced the data roll-back, we had approx. 500,000 files affected. The total size is not known as we were on a closely monitored time frame. Needless to say, we had essentially lost a days work. Further investigation has determined that this was likely to be a new variant of Critroni, possibly only just created within the last 2 or 3 days. Most of the Office 365 hosted email environments should already actively block this, but as you can see - this hasn't worked in this case. Cause: The user had received an email from Microsoft Quarantine advising of the email from "Australia Post". By coincidence, the user was waiting for a package from Australia Post and was duped by the email. After entering a tracking ID into the website containing the malicious link from the email, a prompt was received and software was downloaded to the machine. Because McAfee did not detect the file or the site due to the change in the ransom-ware signature, it went bonkers. Cryptolocker details - McAfee Kaspersky Cryptolocker details Australia Post Warnings - Computerworld May you all avoid this mishap.