So that's how they do it
"In almost every ransomware attack we've looked at, the company was been compromised six to nine months before the attack was launched," he said, noting that allows the attacker to conduct reconnaissance.
When I read that line about how attackers start by deleting accessible backups I wondered how they could get to them. If, however, you infiltrate an organization and lay low for months while gathering data on the network, then you have all the time you need to discover network storage and passwords to access it.
Given that cities are not known for having bank-level network protection, I'm guessing that once in, there won't be much of a warning to IT admins that an enemy process is worming through their systems.