A domain member computer got hit with Dharma .java. The computer was replaced with a spare, and the user was back up and running pretty quick.
Local User files on the workstation were encrypted, and one domain user's redirected files on the server were encrypted. The damaged was limited to that user. The files were restored in a few minutes from backup, and no harm done.
I have the original computer on my bench. All of the encrypted files have a Date/Time stamp of 7:40pm on Sunday evening. I verified from the backup data that the encryption did occur after the Sunday evening 7pm backup.
The question is: This is a business computer, and no one was in the office over the weekend, nor does anyone other than myself have the ability to remotely access the computer. I suspect the user probably left the account logged in when she left the office...