Interesting Attack Technique - Ransomware can now infect any Active directory connected windows system if the user profile is setup to execute a login script when a user logs in.

The attacker weaponized AD by putting not Trickbot, but Ryuk, into the AD [roaming] login script. So anybody who logged into that AD server was immediately infected.
So as soon as an engineer, for example, logged in from his or her workstation, the payload would drop, execute, and lock the user out of the machine.

https://www.darkreading.com/threat-intelligence/ryuk-ransomware-hit-multiple-oil-and-gas-facilities-ics-security-expert-says-/d/d-id/1336865