Ransomware is often not triggered quickly. They will compromise a box, install a back door, and hang onto it for months. You also have to consider that once they pop it, they can check other vulns that are available and will still be present after the restore.
When I do remediation I usually recommend restoring only business state but installing and configuring all OSes and applications from scratch with latest freshly downloaded versions. You can't trust any executable or dll that has been laying around.
That is not the restore dream that the backup provider sold them but reinfection is common. Once the bad guy has a privileged credential it is trivial for them to investigate for other vulns to use in the reinfection phase and nobody has just one critical vuln. If a business is susceptible to ntlm relay it's also going to have unsigned smb and non encrypted ldap traffic for the same root cause -- it was the default in 2005 and never got modernized.