That's not generally the way it works. The attacking organization has a botnet probing for known vulnerabilities it can exploit to drop a ransomware package, which will then encrypt files and notify a C&C server. The humans only find out about it after a victim has been compromised. There aren't a bunch of pasty-faced yoots in hoodies hunched over keyboards manually encrypting a file at a time.
Some ransomware includes exfiltration of data; some doesn't. A given crew might, at some point, upgrade their botnet to deliver a package that includes exfiltration capability, but while the money's still rolling in there's no great incentive to do so quickly.
There are probably ransomware operators who still work manually, but the smart ones will be automating the process as much as possible. And aside from developing packages with novel capabilities, it can all be automated.
That's one reason why outlawing payments won't stop ransomware attacks.
Biting the hand that feeds IT
