Had this same issue just last week
Had a seriously tech-illiterate ("What do you mean, Start button?") user from a client call up to say that something had appeared on her computer and was saying her files were encrypted.
Needless to say a minor brownware download occurred, and so I nipped down to the site to have a look, not trusting remote support on a known infected PC. After figuring out how to terminate it (taskkill is invaluable here, as it launches two processes of the same EXE file to hold itself open), cleansing the registry and deleting the offending piece of excrement itself, we managed to figure out which files were infected - this had encrypted her networked My Documents, as well as VERY selectively encrypting documents on just one other network drive - it appeared to only mess up files owned by this user in particular, definitely not the standard published behaviour.
$Deity bless Shadow Copy, since the client has a relatively small dataset we've set it to 3 snapshots a day, which has turned out to be an absolute lifesaver! Have also made a note to block execution from Outlook's temp directory, should've done this far sooner.
I surprised myself, being uncharacteristically diplomatic when asked how this happened - apparently the documentation and day-long training on the network & standard security conveniently slipped out through the alternative cranial orifice - something that seems to be implausibly common among our clients!
Biting the hand that feeds IT
