Then it turns out parent is the ransomware vendor and the linked file turns out to contain the ransomware, with a few letters in the URL substituted for Unicode lookalikes so it appears to be a legitimate Windows update.
I'm not saying that's truly what's happening, but it's easy to imagine. I'd verify I'm connecting to the right domain and double-check with e.g. VirusTotal if I were you.
That's very true. Such attacks are predicated on an ignorant and/or lazy target demographic, I guess.
Incidentally, when I copied the link out of Chrome (57) it pasted the punycode link even though it showed "apple.com" in the omnibox. So then I carefully copy-pasted just the domain and TLD to work around Chrome's link-copying magic, submitted, and... discovered that Arc punycode-ifies Unicode domains.
So that was interesting, but it kind of killed the impact of the point I was making.
I'm not saying that's truly what's happening, but it's easy to imagine. I'd verify I'm connecting to the right domain and double-check with e.g. VirusTotal if I were you.