I work for an MSP, so dealing with Ransomware is what I do 99% of the time anyone gets infected. It's all the hotness in infections. Typically comes from drive-by infected adds, bogus browser and flash update, and e-mail attachments. The scope of infection is limited to user access. So, without local admin access, typically only the local profile gets infected, and the data they have access too via mapped drives. With local admin access, the box is hosed. IF the numbnut sys-admins granted domain user access to the Domain Administrators security group (network God mode effectively), it will hose any and all computers and servers it can find. And yes, dumb fucking admins will do that because they're too fucking lazy to be answering requests for software installation and/or securing the network. BAD IDEA!!!!
Just FYI, as a Windows system administrator, not even I have my primary login assigned Domain Admin membership. If I need to login with a Domain Admin account, I have a separate AD account used for utilitarian reasons. If I fuckup and click on something I shouldn't, at least its my ass and not bringing down the entire network (though I know better, honestly).
BTW, Veeam is a badass backup solution!!