None of the comments directly touched on the initial infection vector so here it is: STOP PUTTING YOUR SERVERS DIRECTLY ON THE INTERNET.
Shodan showed that both NHS and Telefonica had servers with every default port open to the Internet, including SMB. Perhaps some well-meaning obsolete not-competent-for-this-position manager overrode the techies with a "But the file share requires a username and password so just do it!"
Biting the hand that feeds IT
