What a nasty bit of code. Client clicked on an attachment or link and that was it.
It was awful to get rid of, eventually with a combination of tools, we managed to clear it off….but and it is a big but, all her data files were encrypted. Now there may be ways to get them un-encrypted, but the client had Cloud Backup supplied by BCS!
We remoted into the laptop and restored all her data to the previous version. Saved!