A new variant of Locky ransomware using Windows Scripting Files (WSF) as a downloader, Trend Micro researchers observed.

This type of file allows attackers to combine multiple scripting languages within a single file and the use of the file allows the threat to bypass security measures, including sandbox analysis, because the files aren't on the list of files typically used for malicious activity, according to an Aug. 14 blog post.

Furthermore, the ransomware downloaded by these WSF files have different hashes which makes detecting them via blacklisting even more difficult, the blog said.

The samples analyzed by the researchers had the properties of a “Yahoo Widget” in an effort to pass it off as legitimate.

Researchers spotted the new variant in the Brazilian underground market and believe it is targeting companies using spam emails with malicious .ZIP attachments that contain the ransomware.