Just some notes for myself that others may also find useful:
Initial propagation allegedly Medoc auto updates, though vendor denies it.
Image posted on twitter, attribution intentionally missing:
https://twitter.com/thedefensedude/status/879764193913716737
Good write up by Brian Krebs indicating how the malware obtained credentials to propagate
Mitigations:
Create c:\widows\perfc.dat and make it read only:
https://twitter.com/hackingdave/status/879779361364357121
Apply MS17-010 and disable admin$ shares via GPO
After reboot, system appears to be running fsck, but this is actually files being encrypted. Shut the system down immediately if that happens to enable file recovery using a boot disk.