CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Script Files Used to Deliver Locky Ransomware

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

A new Locky ransomware variant sold by Brazilian malware developers has been delivered to targeted organizations using Windows script (WSF) files, Trend Micro warned on Sunday.

Security firm Forcepoint reported in May that cybercriminals had started using WSF files to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, cybercriminals have also started using it to spread Locky.

WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language.

Researchers believe that the use of WSF files makes it more difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions. WSF files can increase the chances of bypassing sandboxes and blacklisting technologies.

“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers explained.

“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.

In the attacks observed by Trend Micro last month, cybercriminals appeared to be focusing on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”

Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday. The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.

Advertisement. Scroll to continue reading.

Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language. This method has also been used by various other ransomware families, including Jigsaw, Cryptlock and Reveton.

The new Locky variant was spotted by researchers on an underground Brazilian cybercrime website, but it has also been openly advertised on Facebook.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.