Re: Cyber sex in action
"Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"
Pretty sure the answer is no.
If machines are patched against the NSA backdoors and SMBv1 is disabled, other propagation routes if the user has local admin access to the PC. i.e. lsadump for any cached credentials on the PC and then psexec/WMIC using those credentials in an attempt to access other machines via C$/Admin$ shares. Your MBR is also re-written and after 20-40 minutes your PC is restarted and a "chkdsk" run that encrypts your hard disk. Prior to the reboot, a boot from CD and re-writting the MBR allows to you to recover from this.
Also considering blocking SMB access between workstations via Windows firewall for end user devices if there isn't a compelling reason not too (i.e. in offices where a local PC is the "server" or some dumb app) or at least reducing access to just the hosts or subnets that need access to reduce your exposure.
If you don't have local admin access to allow the hash dump AND you are patched against the NSA issues across your network, files matching a list of extensions are encrypted.
If you haven't been infected yet, you best protection is ensuring AV and patching is up-to-date and reviewing your usage of privileged accounts (both at domain level and local PC level) to ensure you understand the potential for propagation across your network. Changing passwords for privileged to prevent cached hashs from being usable is also a good step.