Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Script Files Used to Deliver Locky Ransomware

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

Security firm Forcepoint reported in May that cybercriminals had started using WSF files to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, cybercriminals have also started using it to spread Locky.

WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language.

Researchers believe that the use of WSF files makes it more difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions. WSF files can increase the chances of bypassing sandboxes and blacklisting technologies.

“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers explained.

“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.

Advertisement. Scroll to continue reading.

In the attacks observed by Trend Micro last month, cybercriminals appeared to be focusing on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”

Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday. The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.

Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language. This method has also been used by various other ransomware families, including Jigsaw, Cryptlock and Reveton.

The new Locky variant was spotted by researchers on an underground Brazilian cybercrime website, but it has also been openly advertised on Facebook.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.