As far as I know typical ransomware, like the (in)famous Locky virus for example, encrypt files depending on their file extension and across all local and remote drives.

To break it down:

The ransomware will scan the system for

* Local drives (System drive, secondary drive, USB drive and so on)
* Remote drives (Network shares like samba, nfs and so on)
* Files with certain, predefined file types (e.g.: .jpg, .avi, .doc)

This way no important OS files are touched but the attackers still have their 'hostages'.