A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.
Security firm Forcepoint reported in May that cybercriminals had started using WSF files to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, cybercriminals have also started using it to spread Locky.
WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language.
Researchers believe that the use of WSF files makes it more difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions. WSF files can increase the chances of bypassing sandboxes and blacklisting technologies.
“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers explained.
“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.
In the attacks observed by Trend Micro last month, cybercriminals appeared to be focusing on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”
Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday. The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.
Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language. This method has also been used by various other ransomware families, including Jigsaw, Cryptlock and Reveton.
The new Locky variant was spotted by researchers on an underground Brazilian cybercrime website, but it has also been openly advertised on Facebook.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
Latest News
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Why Endpoint Resilience Matters
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- UK Introduces Mass Surveillance With Online Safety Bill
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
