Thanks, Dave, yes, I have Real Protect static and cloud enabled. 

However my settings make it trigger, the DAC, when reputation threshold reaches "Most likely malicious" . . Because otherwise I would have too many false positives..!

And I suppose my PE-based ransomware is 'Unknown'...

You might consider trying to do Cert exclusions, to see if you can get the FPs down.  If you have a TIE server, that should help a lot.  With the latest ENS release you can also just alert on DAC events without blocking, so that might help if you can alert when cert rules trigger and the DaysBeforeDetection=0, meaning it is a process new to your environment.  

Sorry Dave, I don't understand "to see if you can get the FPs down"..

Why "Cert esclusions"? And why "when cert rules trigger"?

Still non clear to me why Real Protect didn't detect this ransomware behavior..

Many thanks..

I mean in the DAC policy, you can exclude certain certifications from triggering rules, so you can easily then get your needed exclusions in place.

Every ransomware family is going to act a bit differently, so there is probably just something about the code and behavior that stopped it from triggering.  it happens, which is why I go by behavioral rules as a final line of defense... and ATD.  Also check your JTI rules, as there are some that would certain help mitigate these risks.

Dave