decrypt on access
>It wouldn't be possible since the malware would then need to be installed on every single computer in the firm since otherwise it couldn't decrypt the files transparently.
Wouldn't it still be possible if you have an infected fileserver?
Especially one like we had at work - a bunch of Windows Server instances running under Hyper-V, on a big, monolithic host; with the Hyper-V host being the thing connected to a vast storage array on SAN, which is itself regularly backed up.
If the Hyper-V host were infected, then you and your backups are toast. But can still decrypt-on-access until the backups are flushed
This Hyper-V host had our domain controller, DNS server, various network drives, our Confluence internal wiki, JIRA, Bitbucket (GitHub style repository), Bamboo (CI/CD)..