Some of my users got an email today about a fax, and despite it looking very suspicious a few people opened it anyway. It looks like the files that were encrypted are strictly on the employee's workstation and did not hit the network shares. In looking at the CRYPTLIST under HKCU\Software\"random code" everything is on the local machine, or if on the terminal server, the one user's profile. I have no qualms about reimaging the workstations. I'm guessing on the terminal server I can just delete the user's profile and create a new one. I proposed blocking executables in %AppData% months ago, but got voted down due to line of business software we use that requires running in that location. Argh.