At the moment word is that attackers encrypted Tietoevrys hypervisor platform (Hyper-V, vSphere or KVM not known) which was hosting multiple customers VMs. So attackers breached Tietoevrys management network, not customer networks.