The attackers probably aren’t targeting the NHS specifically, there’ll just be a script that goes around probing ports and then seeing if it can install the ransomware. The other possibility is that it was on a memory stick and only became activated if it found it was on a large network or similar trigger.
As you say, I’d be very, very surprised if it was targeted. It’s ‘just’ run of the mill, indiscriminate malware 🙁
I know if one that came in via email, was blocked, and then subsequently released, upon which the recipient opened it. At which point it identified attack surface, which are usually open file shares on servers, hops on to them, and propagates from there.
I await the Russian conspiracy theorists though. (And to be fair it’s almost certainly of Russian origin)
There was a really interesting RadioLab about this last year as well.