Re: Easily avoided
The problem is that many businesses receive hundreds of unsolicited attachments every day, quite often in PDF form. Almost all of the mail recieved at UK University Admissions Offices are of this type. If someone gets an email with an attachment that has "PDF" on the end, chances are they'll open it, especially if it has a recognisable PDF icon.
How do you prevent users doing this? Simply telling them not to open unsolicited emails is not the answer, since that will stop them doing 90% of their business. You can't rely on email server AV scanners, since the fact that corporate users are opening these mails proves that AV companies are having a hard time keeping up with the malware's changes in code.
The answer is to educate users in the concept of hidden file extensions, and the fact that a PDF attachment will not say "PDF" on the end, and if it does, then it's likely there's a hidden "EXE". Unfortunately this is a concept that the majority of users (who have been brought up on the Windows graphical "point and click" environment of the last 30 years) find difficult to grasp.
Oh and unhiding file extensions isn't the answer. We had a bunch of machines a few years ago with "hide file extensions" turned off by default. The result was that users would happily give their Office documents a name, save them, and then be unable to find them again. The reason? They were overwriting the ".DOC" or "XLS" on the end, so Word and Excel (which use extension filters) didn't show their files anymore.
The best strategy to beat this is to mitigate the effects by educating users into the wisdom of regular offline backups. The malware's going to keep spreading because users gonna keep clicking, and so long as people are prepared to pay (because they have no alternative), Cryptolocker is a success. There will be more like it.
Sure, regular backups aren't going to help recover that important file that you updated only 30 minutes ago, but if it's only the one file there's less incentive for you to fork out £4-600 to decrypt it. If you didn't backup several gigabytes of network files that constitute the whole of your business, then yes you'll pay silly money to get it all back, and that's the area where the malware thrives.