Ragnar Locker has used cmd.exe and batch scripts to execute commands.^[1]

Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.^[1]

Ragnar Locker encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom.^[1][2]

Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enablesRagnar Locker to encrypt files on the host operating system, including files on any mapped drives.^[1]

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.^[1]

Ragnar Locker can delete volume shadow copies usingvssadmin delete shadows /all /quiet.^[1]

Ragnar Locker may attempt to connect to removable drives and mapped network drives.^[1]

Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.^[1]

Ragnar Locker has been delivered as an unsigned MSI package that was executed withmsiexec.exe.^[1]

Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.^[1]

Ragnar Locker has used rundll32.exe to execute components of VirtualBox.^[1]

Before executing malicious code,Ragnar Locker checks the Windows APIGetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.^[3]

Ragnar Locker has used sc.exe to execute a service that it creates.^[1]

^[4]