[Scoundreller]

Yes, a vulnerable system can get infected without user interaction.

This malware somehow got seeded, either by (1) direct scanning the internet for vulnerable systems, or (2) traditional "open-this-link / install-this-file" emails/downloads. Maybe that's why we see at least 3 bitcoin addresses: 3 different "seeding" groups.

Corp networks shouldn't be accepting outside SMB connections, and home routers will block them too, so that's where user-initiated emails/downloads come in (or someone connecting an outside laptop).

[cpncrunch]

From what I gather, it tends to be one person in an organisation opening a dodgy attachment, then it spreads through the internal network via unpatched SMB flaw.

[Scoundreller]

That, or they bring a work computer home, get infected, then bring it back to work. Could happen if the network they got infected on resolved all domains (so it didn't execute then), but their corporate network didn't.