Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware. Services like FTP, SSH, SMB, SQL server, remote desktop, and VNC are targeted because they help move to other computers or indicate a valuable target. Researchers estimate that it took two weeks for the attacker to gain access to machines on a network and profile them before executing Ryuk.
Source: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/