The first variant discovered by Jakub is called PayDOS and is a batch file converted into a executable. When run, the executable will extract the batch file into the %Temp% folder and  run it from there. Once executed, batch file will scan certain folders for certain file extensions and rename the file so that one letter of the extension is changed. For example, test.png may become test.dng. It does not actually encrypt the files.

http://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/