Seen it three times..
1. 'Client' staff member opened payload and decided to ignore it, went home with pc running, next day couldn't figure out why she wasn't able to access anything, ignored it for most of the day until she got hold of me. Had to restore data from 3 days prior because the last 2 were also infected.
2. Called out to a domestic job, basically his laptop was fully encrypted, as was his backup which was also connected at the time. He admitted that he had taken it to a local IT shop for repairs and they couldn't do anything, so called me out. I worked out that he had been infected some 2 weeks earlier and told him that there was bugger all that anyone could do.
3. 'Client' staff member emailed me to say that a file on her desktop was no longer accessible, but because she had been busy hadn't bothered to get in touch. I remoted in and only because her machine was full of old profiles and offline server work had it kept the crypto busy all day locally. It had just started to much through the server when I screamed at her to pull the network cable.
Spiceworks gave me a good method using file services / monitoring that I have that in place at all the sites so if a crypto starts on the server I get an email (because clearly I can't rely on AV or users).
I still think there needs to be some sort of background monitor that can be installed on local machines that will flag up a message or perform an action that if x number of files are read / modified within x number of seconds. Maybe there needs to be a folder / honeypot on the local drive that contains a couple of hundred small docs so the only thing that would access it would be a crypto.
It's just a thought.