Surge in ransomware attacks using Windows Script File attachments

Ransomware spammers shift to Microsoft WSF files to distribute malware

The number of email-based attacks using malicious Windows Script File (WSF) attachments has surged in the past three months, according to security software company Symantec.

WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the WSF extension are not automatically blocked by some email clients and can be launched like an executable file, hence their popularity with the propagators of malware.

Malicious WSF files have been used in a number of major spam campaigns recently, spreading the Locky ransomware, said Symantec. The company claims to have blocked more than 1.3 million emails with malicious WSF files, bearing the subject line "Travel Itinerary", on 3 and 4 October alone.

The emails purported to come from a major airline, but came with an attachment that consisted of a WSF file within a zipped archive. If the WSF file was allowed to run, Locky was installed on the victim's computer.

That campaign was followed by another spam run, but with emails bearing the subject line "Complaint letter". The company claims to have blocked more than 918,000 of these malware-bearing spam emails.

"These recent Locky campaigns are part of a broader trend. Over the past number of months, Symantec has noticed a significant increase in the overall numbers of emails being blocked containing malicious WSF attachments. From just over 22,000 in June, the figure shot up to more than two million in July. September was a record month, with more than 2.2 million emails blocked," claimed Symantec.

It added that groups that spread malware via spam campaigns - as opposed to using more sophisticated methods of propagating malware, such as via compromised advertising networks - frequently change the format of the malicious attachments they use in a bid to evade anti-virus and anti-malware blocks.

"Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. The spamming operation had previously used attached Word documents containing a malicious macro (W97M.Downloader)," it said.

"Earlier this year, it moved to using malicious JavaScript attachments (JS.Downloader). It now appears to have shifted to using WSF files instead of pure JavaScript (also detected as JS.Downloader)," warned Symantec.

"In a constantly shifting threat landscape, organisations need to remain vigilant and aware that threats can come from new and unanticipated sources."