Re: Solution
Last year I learned to avoid using domain admin accounts.
If the attack somehow manages to escalate to local admin privs, they can then rummage around in memory and find password hashes belonging to any domain admin that had come this way recently. Several VMs were thus hit.
We had an old asp.net app running that was using a third-party component that received an important security update a year prior to the attack.
Our original plan some years ago involved a full rewrite of said asp.net app, but priorities changed and no hands were left on deck.
A colleague reverse-engineered the attacker's code and got the decryption key, but we already had good backups, so no need.