You can find out the exact cause of the infection by doing full forensics analysis of the drive. However, in most cases, there are 5 typical causes:
1. Phishing, which is an email with a fake invoice or fake warning about some event (eg. blocked bank account) and call to action (resulting in infection attempt and/or stealing sensitive data). According to 2017 IBM research, 59% of infections were spread this way.
2. Remote attack on a publicly accessible Remote Desktop (RDP) server - including tools stolen from NSA a few years ago. In this case, the attacker doesn't even need to know the valid user password. Over 90% of such attack attempts are directed to the default port 3389, so if you really need to allow access to RDP service from the Internet, the absolute minimum is to change the port number to a non-standard one, preferably in the range of 30000-60000 (and preferably limit access to trusted IP address ranges, or use VPN).
3. Attack within local network, via SMB file sharing protocol, from a previously infected computer. Depending on firewall settings on server:
- - with standard settings, "only" the shared contents accessible from infected computer will be encrypted
- - if the firewall is disabled, or reconfigured to allow unrestricted traffic from local network computers to server, the whole server OS can be infected (and encrypted), becoming another attack source
4. Remote attack on a publicly accessible application (other than Remote Desktop) - e.g. in 2016 there was a large attack on TeamViewer users.
5. Infection via infected file from external USB storage device (pen drive). This way is used mostly by viruses that steal sensitive data and passwords, but also ransomware can be found.