MS JScript does not have direct access to the Windows API (although it is possible in indirect ways). It generally requires COM (ActiveXObjects) to do anything interesting.
So with a little creativity, yes it is possible. FSO is off limits in the default IE security zone, but if someone double clicks a .js email attachment it will run.
In the wild, however, most of the .js malware I've come across are just droppers to download normal binaries. I can't personally name a pure JS ransomware strain.