If they had a ___domain controller with ports opened to the internet they would have been hit some other way already (not to mention suffering from constant account lockouts from random brute forcing), so this would probably not be the initial vector. Once the exploits are more polished this will make things easier for ransomware to escalate privileges but they already had effective ways to get to ___domain admin that work on most networks.