There is no excuse for this. Some IT controls and discipline within the organization is all that it takes to stop it. For example lockdown the ability for a user to start any unapproved “.exe” file. It is also a necessary move to segregate “process” and “business” systems from each other.
Spot-on. It's a pain in the ass to do however whitelisting executable files works.
So does automatically sandboxing suspicious emails and blocking email from domains less than 90 days old.
And that's just for starters.
Logically isolate the user from the data center, micro-segmentation of the network, and locking down the user's workstation/laptop preventing any configuration changes including installation of any new unapproved software and you've got a good start on preventing ransomware from getting installed on your network.