My machine –
Domain joined Windows 10 Enterprise 64bit running McAfee AV + Encrypted HDD. Fully patched with June’s updates and manually disabled/removed SMBv1.
Hit at 12:40 UK time with a BSoD. Reboot “Please install operating system – no boot device”.
And the follow up
I’ll just put this up here to summarise what happened and how.
We assume 1 PC was infected, that machine provided the virus with some credentials. Could have been a workstation admin’s account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with it’s PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR, PCs that were not encrypted with McAfee showed the ransom message.
This is a good demonstration of making sure everything is 100% patched and not nearly patched. It is difficult to keep older machines patched and updated in an enterprise environment, however when these systems are designed and implemented, we should be thinking and taking into consideration how we are going to update them and keep them secure, otherwise we will have to deal with the events described above, again and again.