Basically what is happening is these groups are global but mostly contained in countries where bribes are quite common. They hide behind many layers of security and operate as a business. I'm talking about a full-fledged corporation where it's all about profit sharing. They offer a bounty for information. So people go out and find security vulnerabilities at companies and covertly breach the IT environment. They poke around a bit and see how far inside the environment they can get and if they can stay undetected. Then they go to these larger groups and say "hey, I got in and I can get to all of these places" I'll give you the info for 10% of the return. They then job shop the target. Once one of the bad actor groups purchases it they enter the network and start creeping around. They make sure to get ahold of things like privileged accounts etc. They install the software in the background that is waiting for a command from them to unleash the payload. The more they can compromise the more they can demand. So once they are sure they have all they can, or they feel like they've been discovered they send the command signal. The machines instantly start to encrypt themselves. Meaning they can't be unencrypted without the key, that only the bad actors have. So they ransom everything. Sometimes it's tens of millions of dollars. Sometimes a few hundred thousand. Depends on the companies ability to pay and how much they managed to encrypt. Ransoms are always demanded in untraceable cryptocurrency. Most businesses have cybersecurity insurance.
Before the pandemic healthcare companies were getting hammered with ransomware. But believe it or not, there is a kind of honor amongst thieves and during the pandemic, they started targeting other forms of business. They traditionally stay away from major utilities and subsidies like power, water, food etc. That's because while hitting private businesses with insurance will raise the government eyebrow, hitting national subsidies like food will likely result in CIA involvement and a bullet in your dome regardless of what country you're in.
The pipeline hack was a complete fuckup. The original person got in and sold it to the ransomware group who did their thing. It wasn't until after they executed the payload did they know what they had. They immediately settled for half of the ransom and disappeared. Completely disbanded a group that had made a few hundred million in the last few years doing this. They ran scared. Unfortunately, the pipeline company paid immediately and doesn't even try to recover by themselves. I'm sure another less concerned group noticed this and decided to hit the meat industry.