A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.
Security firm Forcepoint reported in May that cybercriminals had started using WSF files to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, cybercriminals have also started using it to spread Locky.
WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language.
Researchers believe that the use of WSF files makes it more difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions. WSF files can increase the chances of bypassing sandboxes and blacklisting technologies.
“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers explained.
“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.
In the attacks observed by Trend Micro last month, cybercriminals appeared to be focusing on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”
Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday. The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.
Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language. This method has also been used by various other ransomware families, including Jigsaw, Cryptlock and Reveton.
The new Locky variant was spotted by researchers on an underground Brazilian cybercrime website, but it has also been openly advertised on Facebook.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
