New Locky using WSF spotted in Brazilian underground

A new variant of Locky ransomware is using Windows Scripting Files (WSF) as a downloader, Trend Micro researchers have observed.

This type of file allows attackers to combine multiple scripting languages within a single file and the use of the file allows the threat to bypass security measures, including sandbox analysis, because the files aren't on the list of files typically used for malicious activity, according to a 14 August blog post.

Furthermore, the ransomware downloaded by these WSF files have different hashes which makes detecting them via blacklisting even more difficult, the blog said.

The samples analysed by the researchers had the properties of a “Yahoo Widget” in an effort to pass it off as legitimate.

Researchers spotted the new variant in the Brazilian underground market and believe it is targeting companies using spam emails with malicious .ZIP attachments that contain the ransomware.