If you see the fake chkdsk reboot to media and overwrite/fix the master boot record. It encrypts the master file table on startup (before AV etc.), has sophisticated lateral movement capabilities using WMIC. Don't bother paying the ransom - the mailbox is dead you'll never get your files back that way.
