Is it set for real time scanning including of processes in memory? Do you also have anything else running for protection? I'm not up to speed on what works well on Windows these days, but personally would have Microsoft Defender on anything that touches the internet as well as a secondary product.

The timescale for the vulnerability is the key here. It could be too late if a full day passes to see what nastiness might make it to being written to disk. Exploit that uses memory buffer overflow through a network service (like IIS/RDP) might not even need to hit the disk ever until it's encrypting files.