We have had alot of small business clients call/email us over the last 2 weeks about strange emails they started getting (First reported to us was 3/8) and the number of them has increased over the last two weeks. One client opened the attachment on 3/22 and his PC and files on the server were cryptolocked/walled/variation. The emails all appear as user@yourcompany.com but when inspecting the header information the IP addresses are always different and doing an ip trace appear to originate from India, Turkey, China, Mexico, Denmark, Iran or the ones I can remember off hand. They all have a ZIP attachment and either 0 or 1 line of text. The text general is some form of Hey check out the xxx in the attached file. Each location has Endpoint Protection Plus ran by the small business console on their server. All shields are on and the firewall is enabled, most locations also have a spam filter (hardware or service) that isn’t catching these emails either and a separate anti-malware program. On PCs that have Outlook installed I have ran Boot scans, other Anti-Virus scans, malware scans, so on and so forth. None of the scans have detected anything. I’m not sure how I would go about submitting something like this as downloading or opening the zip file isn’t possible without sitting off the crypto. Is there an email to forward something like this to for investigation?