Just some notes for myself that others may also find useful:
Initial propagation allegedly Medoc auto updates, though vendor denies it.
Image posted on twitter, attribution intentionally missing:
— John Lockie (@thedefensedude) June 27, 2017
Good write up by Brian Krebs indicating how the malware obtained credentials to propagate
Create c:\widows\perfc.dat and make it read only:
— Dave Kennedy (ReL1K) (@HackingDave) June 27, 2017
Apply MS17-010 and disable admin$ shares via GPO
After reboot, system appears to be running fsck, but this is actually files being encrypted. Shut the system down immediately if that happens to enable file recovery using a boot disk.