How does ransomware get the permissions to encrypt your disk?

Ransomware doesn't get root/admin permissions, because it does not need to.

It does not encrypt the disk or files protected by the operating system (executables, configuration, credentials), it encrypts files created and stored by the users (data); and all it requires to do so, is the same level of access as the users themselves.

Just like a user would create a password-protected zip and delete the original file, so does ransomware (except, it keeps the password in secret and makes sure the original file is really inaccessible).

That's the whole reason why ransomware is so successful, it encrypts what is the most valuable for users and companies: their work.

While techraf has the correct answer (that it only encrypts user-space files), I wanted to add that if it did want to do stuff to other parts of your disk, it would do so the same way as some other malware... via exploit.

Malware authors can find flaws in operating system design that allow mundane programs to get to places they shouldn't. Buffer overflows, IPC flaws, poor encapsulation, and simple mistakes can make it possible for programs to get into places they shouldn't. This is why it's important to patch your machine regularly, and keep those Windows Updates current. Even anti-virus software won't help if the operating system it depends on has a flaw that allows a virus in behind it.

This is why it's important not to use Windows XP any more (and Windows 7 after next year)... these flaws are no longer fixed as they are discovered. Security add-on products like anti-virus don't help protect against these problems, as they themselves are merely guest processes in the operating system that depend on it's functioning low-level security in order to do their jobs.