Ugly
This doesn't sound like the simple phishing attack the commentards assumed on the original article. Even patching the original Citrix vulnerability wouldn't have helped, since the loader was already on the network. It would be interesting to know what further vulnerability was exploited when the malware payload was downloaded by the loader. Also, I wonder whether they waited to make recovery from backups harder, or because they needed an additional vulnerability that the network didn't have when the loader was dropped.