it is definitely not always eol windows, most ransomware I have seen rune on modern os, fully patched with you to date av. it is not hard to creat or distribute or to mutate and keep active. it is not just windows either, I have seen it for osx and ubuntu, even cloud services like office365, Dropbox, etc.

99% of the time the hole in the system is the phishing email that the employee clicks on. you will be amazed how many link clicks, redirects warning messages and notices people will just click through because "hr" needs to verify you payroll information or other nonsense that doesn't even make sense.