From what I gather, it tends to be one person in an organisation opening a dodgy attachment, then it spreads through the internal network via unpatched SMB flaw.
That, or they bring a work computer home, get infected, then bring it back to work. Could happen if the network they got infected on resolved all domains (so it didn't execute then), but their corporate network didn't.