It's sadly not uncommon for exploits to be in wide use ahead of patches making it out to secure machines. Up to the day patching still has an unknown vulnerability time prior to the patch being coded, tested and distributed.

There are also entire groups dedicated to tearing apart the patches themselves to discover the exploit. They quickly update exploit kits to take advantage of the time gap between a vendors release and when machines get updated. This is a factor in why Microsoft made changes in Windows 10 home editions to mandate and not defer patches, along with using torrent like distribution. To at least try to close this gap a little in the consumer market while also ensuring a DDOS against their patch server CDNs isn't as effective.

To discover how it got in, I'd recommend looking through the list of what Microsoft patched in that latest round of updates. If anything IIS shows up, check your logs for any out of the ordinary traffic. Same for RDP. It's also possible it didn't go directly through IIS, and instead a flaw in whatever you are hosting on that web instance.

Ransomware is getting to be more and more common. There's a lot more money in this sort of stuff then there used to be ages ago. Larger groups will intentionally horde exploits not known by the vendor to sell to the rich, and smaller groups or individuals buy these exploits to turn around and hit machines like yours. There are literally point and click malware creator programs that wrap up processes like your build.exe that use those latest exploits.

For your machine, was it running any virus/malware protection?


On Windows, the ransom notes tend to show up in My Documents somewhere. There's a chance there's something already there depending on what variant hit your machine.