The problem is, the file can get locked and still be available for backup. Smart enough malware will send an encrypted version when accessed over LAN while local access is unimpeded for some time. There is a reasonable chance that your backup will end up with encrypted files. This is why you need more than one.
That only matters for content created after the malware was installed though, assuming the backups' snapshot interval is reasonable. The malware doesn't usually hang around very long, does it? If it's detected while it can still hide, it still has the decryption keys.
No, they (usually) work similar to PGP/GPG, i.e. each file is encrypted with a different AES key and the AES key is encrypted with a public RSA key. The original AES key for a particular file is immediately deleted from memory after the file is encrypted and the private RSA key (needed for decrypting the AES key that is stored in the file) only ever gets delivered to the system if the ransom is paid.
