My experience with this was all very odd... File extensions were not changed and I never saw the actual ransom request as typically associated with Filecoder/Cryptolocker, et al. It seems as if the trojan/virus/infection never fully completed and somehow got stopped before being fully executed.
I ran a couple A/V scans from multiple tools, cleaned everything I could find, and restored from backups rather than pay the ransom. Have had no further issues...
There is no doubt it came from a user clicking a .zip attachment in a FedEx, UPS or DHL spoof. As "mattspchelp" stated above, it may be a good idea to implement some kind of security via group policy (or other methods) instead of relying on antivirus to stop this.