Threat Management, Malware

New Locky using WSF spotted in Brazilian underground

A new variant of Locky ransomware using Windows Scripting Files (WSF) as a downloader, Trend Micro researchers observed.

This type of file allows attackers to combine multiple scripting languages within a single file and the use of the file allows the threat to bypass security measures, including sandbox analysis, because the files aren't on the list of files typically used for malicious activity, according to an Aug. 14 blog post.

Furthermore, the ransomware downloaded by these WSF files have different hashes which makes detecting them via blacklisting even more difficult, the blog said.

The samples analyzed by the researchers had the properties of a “Yahoo Widget” in an effort to pass it off as legitimate.

Researchers spotted the new variant in the Brazilian underground market and believe it is targeting companies using spam emails with malicious .ZIP attachments that contain the ransomware.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.