Symantec researchers noted an uptick in phishing email attacks using malicious Windows Script File (WSF) attachments to infect users with Locky, and in some cases Cerber, ransomware.
In one day, Symantec reported blocking 1.3 million emails bearing the subject line “Travel Itineraries” that were disguised to appear as though they came from a major airline and contained an attachment that consisted of a WSF file within a .zip archive, according to an Oct. 12 blog post.
The next day Symantec blocked another 918,000 similar emails, which purported to have been sent by someone representing a client making complaints "regarding the data file you provided."
“Attackers will frequently change their attack methods in order to be less predictable,” Symantec Senior Information Developer Dick O'brien told SCMagazine.com via email content. “We believe WSF files are popular at the moment because attackers believe they're less likely to be flagged by some anti-spam or anti-virus products.”
Files with WSF extension aren't automatically blocked by some email clients, can be launched like an executable file and are designed to allow a mix of scripting languages within a single file, the researchers said in the post.
Previously, attackers were using Word documents containing macros and then earlier this year started using malicious JavaScript attachments.
Any file type that allows script or code to be run can potentially be leveraged, he said.
In addition to keeping systems up to date, researchers recommend users take a number of best practices into consideration to ensure they're protected from ransomware attacks including regularly backing up files, avoiding suspicious emails, and remain cautious of Microsoft Office attachments.
