While reporting on ransomware cases often sounds like targeted APTs, more often than not the details in these stories read like "we didn't bother to pay enough admins to actually patch and secure our systems" and "we didn't train our users not to click on every random attachment".
According to random Google result #1: https://www.2-spyware.com/remove-ryuk-ransomware.html#qm-h2-... the specific malware distribution is unclear but likely involves email attachments and/or vulnerable and exposed RDP.
While reporting on ransomware cases often sounds like targeted APTs, more often than not the details in these stories read like "we didn't bother to pay enough admins to actually patch and secure our systems" and "we didn't train our users not to click on every random attachment".