New Locky using WSF spotted in Brazilian underground

News by Robert Abel

Trend Micro researchers spotted a new variant of Locky ransomware using Windows Scripting Files (WSF) as a downloader.

A new variant of Locky ransomware is using Windows Scripting Files (WSF) as a downloader, Trend Micro researchers have observed.

This type of file allows attackers to combine multiple scripting languages within a single file and the use of the file allows the threat to bypass security measures, including sandbox analysis, because the files aren't on the list of files typically used for malicious activity, according to a 14 August blog post.

Furthermore, the ransomware downloaded by these WSF files have different hashes which makes detecting them via blacklisting even more difficult, the blog said.

The samples analysed by the researchers had the properties of a “Yahoo Widget” in an effort to pass it off as legitimate.

Researchers spotted the new variant in the Brazilian underground market and believe it is targeting companies using spam emails with malicious .ZIP attachments that contain the ransomware.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews