Ransomware is software. There are any number of ways it could have been installed, from a link in a phishing email to a trojan to someone intentionally running an installer.
The size of the ransom suggests the attacker knows what they’re doing–they’re not going to try to extort $600K out of an average individual. They won’t get it. So at a minimum they did something to look at the size of the fish they had on the hook before they asked for ransom.
I wouldn’t be surprised if they were targeted. This could be something as simple as an attacker concentrating on the email accounts of city officials under the assumption that they both had money and were less likely to have competent IT staff. Or it could have involved a former or even current employee who left a back door somewhere inside, or someone who just knew which parking lot to drop a USB key in.
A compromised machine inside their network could explain why they paid. Suppose the attacker let it sit idle for a while before running the ransomware. If it’s there long enough, the city could restore their data from backup yet not remove the compromised machine. After the restore the attacker smirks and runs the ransomware again. At the point they don’t really have any good options.
