I suspect a lot of these things would get past most, if not all anti-viruses.
That seems to be the case of late with this new breed of malware.
Especially since it probably came in piggy-backed on a PDF attachment to an e-mail from a trusted
sender. Her Acrobat Reader was two generations old. Everything else was fairly up to date except
for her JRE which was also a full version back. So those two were the most likely initial attack vectors. At least as far as we could semi-determine (i.e. guess.) She gets a lot of company and client-generated PDF and document attachments with her e-mail.
This is the first time I've actually seen
rather than just heard
about a case of ransomware. And I hope it's my last. This puppy was a nasty piece of work. We couldn't sanitize her drive. And we used every trick in the book. Inside the machine the drive kept calmly reinfecting itself no matter what was done to it. You could see it spawning new processes in taskman even while the scanners were busily quarantining it
. Since this was happening in safe mode, I suspect whatever it ultimately was also had a rooting capability.
Taken out and scrubbed using a non-Windows environment to recover what little data could be recovered rendered it unbootable. Whoever programmed this attack was one savvy and mean SOB, that's for sure.
Thank goodness (in her case) for a well-disciplined backup habit. If she didn't have that, it would have been really bad for her.