"If it is ransomware, the attack goes to show that no organisation, no matter how innocuous, is off-limits"
Early victims weren't even organisations. They were individuals such as me cousin-in-law who got hit with an email apparently from a friend. Fortunately that wasn't a sophisticate one - it simply deleted the original files instead of overwriting them.
But it just illustrates that any organisation, however unlikely a target it might think itself, needs a defence in depth.