As far as I know typical ransomware, like the (in)famous Locky virus for example, encrypt files depending on their file extension and across all local and remote drives.

To break it down:

The ransomware will scan the system for

• Local drives (System drive, secondary drive, USB drive and so on)
• Remote drives (Network shares like samba, nfs and so on)
• Files with certain, predefined file types (e.g.: .jpg, .avi, .doc)

This way no important OS files are touched but the attackers still have their 'hostages'.

As far as I know typical ransomware, like the (in)famous Locky virus for example, encrypt files depending on their file extension and across all local and remote drives.

To break it down:

The ransomware will scan the system for

• Local drives (System drive, secondary drive, USB drive and so on)
• Remote drives (Network shares like samba, nfs and so on)
• Files with certain, predefined file types (e.g.: .jpg, .avi, .doc)

This way no important OS files are touched but the attackers still have their 'hostages'.

If you want to know, which files on your system would be affected rootshell.be has written a batch script to estimate which files would be affected on your system. The currently used extensions which the script looks for are the ones Locky uses. Of course different ransomware can use different extensions or even work different like Petya. Petya works by overwriting the MBR and booting into a minimalistic own OS while the C:\ drive gets encrypted completely in background.

Sources (If you want further reading):

• Malwarebytes Blog on Locky
• TheHackerNews on Locky
• TrendMicro on ransomware in general
• Ransomware simulation script by rootshell.be