Very true. I was working in our office in Milan when two users PCs were hit.
Email avoided Barracuda mail firewall device, Sophos on two Excahnge servers, Sophos on the endpoint and Outlook junk-email filters. It also came in through our Cisco firewall with an IDS module.
Email appeared to be a legit email from a logistics company in Italy (in Italian). Only three users out of 60 got the email, those that deal with the company. Two users opened the mail and the attachement.
So, one, it avoided a lots of checking. Secondly it worked very fast. It encrypted hard drives and network drives to the tune of 170k files in a few minutes. Thirdly, seems there were a few critical leaks of email databases (corroborated by the IT manager having spoken with her former colleagues and they had a similar problem only a few days before hand). Lastly, it seems that the attack was highly targetted.
Backup procedures are heavilty audited in our company and the Italian IT backup nightly and test restores daily. It took a while to load data from the tapes, but within 24 hours, all network data was restored with only a few files (those created that day) lost. Pc files lost amount to a few inconsequential files, plus lots of personal photos that the users had been warned NOT to store on company IT equipement.