Nasty yes, but spread trough a very banal phishing attack (not spear phishing).
In a company that uses shared network drives, it only takes one.