We contacted with the server service provider, and this is the information that we've got:
There was a new administrator account called ANONYM, but the encryptation wasn't made from that account (which is very odd since we didn't created that account), instead, the account of a coworker was used. But as soon as he was notified and his work enviroment was checked, he wasn't the author of this encryptation, still we think his computer might have been a tool for the Ransomeware. The evidence shows that the account and password were duplicated by the hackers and they logged in the first try.
The encryptation occured between 6:20 and 6:30 am (tho, I'm not sure what time zone, since the provider, the servers and us are in different time zones) and from this IP adresses:
18.104.22.168 (from Amsterdam)
22.214.171.124 (from Willemstad)
126.96.36.199 (from Amsterdam too)
Then the shadow copy process started:
6/12/2018 6:19:16 AM
The Volume Shadow Copy service entered the running state.
6/12/2018 6:22:18 AM
The Volume Shadow Copy service entered the stopped state.
The Encrypting File System (EFS) service entered the running state.
The start type of the Encrypting File System (EFS) service was changed from demand start to auto start.
The rest of the information is related with the article posted in the blog.