I've personally had to manage and resolve 3 attacks of this kind (2 at the same company within a matter of weeks of each other) whilst doing managed services. Each one was due to either personal USB devices being plugged into the company network or personal emails being accessed via webmail.
We had to pay the ransom for one company due to the fact their backups were sh*te, they had no complete recovery and we'd been telling them this for a number of months (old knackered tape drive, outdated software and tapes stored in the back of someone's car next to the speakers). Needless to say, we refused to pay after the 2nd incident (which arose from the same person plugging the same usb drive in.)
There are steps to stop this from happening, however most companies won't put these in place for fear of upsetting their technically incompetent employees.
In my view everyone who uses a computer should be trained in general security, how to spot these emails and made to sign a waiver saying that if an infection is proven to come from them they pay the ransom if no other method of recovery is available. Also stop USB drive usage, documents can easily be transferred using cloud storage (free accounts for personal use) so there should be no need to ever have to plug one in.
Oh and listen to your IT provider when they tell you your backups are useless. It might save your highly confidential and auditable data one day