I'm writing in hopes you have seen this. 5 servers and a handful of workstations were compromised with a domain admin account this morning. The hacker did the following:
1. Manipulated partition tables so there are no files on secondary drives. The drive usage is 0%. Partition tables show 4 primary tables.
2. Deleted files on C:\
3. Remote desktop'd into workstations and did the same action.
There was only 1 text file left with an email address.
No files were encrypted..........