Ransomware shared through a Dropbox shared folder - What to do ?

(MacBookPro 2011, OS 10.11.2, Time Machine incremental backups on a time capsule at home and duplicate clones by CCC at home, still running every night while I was away in New Zealand; Cluster of 24 computers sharing a joint Dropbox folder for photographs)

Hello, for the purposes of my bicycle club, 23 of us share Dropbox folders containing bicycling photographs. Each of us have the right (1) to add, copy or delete content and (2) to send a link to any other Dropbox user permitting his sharing the folder. I have admin rights from a 24th account. Total 24 LESSEES, administrator included.

Not earlier than 20 January, while I was bicycling in New Zealand, away from home, the content of this shared folder and the content of all contained folders were replaced by timed series of text files named "help_recover_instructions.txt or .html. I can provide copies of any of these files.

I read the content of one of these text files from the iPad by double clic on the file icons in the dropbox folder of the iPad and summarise it below.

It states in essence that all files are strongly encrypted, meaning the reader can no longer read of use them unless restoring them with the help of the bad guys. The public key is in the computer, the private key is on the bad guys' secret server. If the reader does nothing to receive the private key, then the conditions for obtaining the private key will be changed. These conditions are not specified in the text file. It then specifies a personal home page is prepared for the reader, various links pointing to it. TOR seems to be specifically used. The bad guys then specify a personal TOR browser page and a personal ID.

On 23 jan 21:35 by Dropbox clock, yet unaware of the situation, I added while bicycling in New Zealand an empty container folder (named "2016_New-Zealand") for the purpose of later sharing New Zealand photographs.

On 23 Jan, I then discovered that the shared folder had been compromised and sent from new Zealand a warning email messages to all other 22 LESSEES, including to the originator of the changes ("Eric") (possibly informing the bad guys if they had taken ownership of Eric's email account).

This message #1 states the facts, called it a ransomware attack on one of us with a 95% probability and specifically advised all of us against (1) accessing any Dropbox shared folder, (2) clicking any link contained in such Dropbox folder and (3) corresponding through email messages. I further stated that I would delete it all upon my return and that we would never see its contained photos any more (all are supposed to be copies of our respective originals). I trust all of us complied. I see no such activity on the Dropbox "Events" log.

On 27 January after discussing the situation with my son in Sydney, Australia, I sent a 2nd confirmatory message #2 to all other 22 LESSEES.

Back home and to my macbookpro yesterday, I did not dare to open any of the text files from the mac. Only from the iPad.

I copied from the mac the entire Dropbox folder to a disposable flash drive which I renamed "Ransomware", for whatever purpose. Did not delete yet the compromised Dropbox folder(s). Other than my two warning messages to all 22 other LESSEES, did not advise anyone nor Dropbox.

I checked from the account having admin rights ("ADMIN") on these bike club Dropbox shared folders (more than one exist).

I checked from ADMIN on the "Shared folder option" of Dropbox the addresses of the 24 people sharing this compromised folder. All are genuine and known by me with their real addresses. None is new, unknown or altered in any way.

I checked from ADMIN the other bike club shared Dropbox folders, another one (2013 archives) is similarly compromised. "Eric" is originator of the changes. All others are not compromised, Eric (originator of the changes) was not sharing the non-compromised folders.

I checked on the "Events" log provided by Dropbox. It indicate the name of the originator of the changes ("Eric") and times it occurred. 1st event on 20 Jan 19:11; 2nd event on 21 jan 9:45; 3rd event on 22 Jan 8:46; 4th event on 22 Jan 13:08; 5th event on 23 Jan 9:27; 6th event on 23 Jan 11:42. There was no further event, as if my adding a folder on 23 Jan 21:35 and/or my #1 warning email to all 22 other LESSEES had altered the bad guys' behaviour: no further additions of text files. Same events, same text files and same originator (Eric) on the other compromised Dropbox folder (2013 archives).

Seen from my mac, this seems to be strictly firewalled by the boundaries of the two compromised Dropbox shared folders. Our Dropbox access codes do not seem compromised (except Eric's ?).

Any question/clarification on facts ?

Should I advise the authorities ?

What happened ?

What should I state (privately by phone) to Eric, the Originator ?

What should I do to delete all corrupted parts and not omit any one ?

Action on my passwords, any other actions ?

What should I state to the other LESSEES except Eric, the Originator ?

TIA