This is the newest tactic cybercriminals are using to deliver ransomware

Cybersecurity researchers have spotted a surge in ransomware emails containing a type of file which isn't blocked by many providers.
Written by Danny Palmer, Senior Writer

Ransomware distributors aren't taking anything for granted.

Image: iStock

Ransomware groups have evolved yet another new tactic in their quest to infect victims with malicious file-encrypting software, including those behind the notorious Locky campaign.

Email remains very much the main delivery method of ransomware but over the last three months there's been a shift in tactics, with cybersecurity researchers at Symantec spotting a sudden surge in Windows Script Files (WSF) used to distribute ransomware.

WSF files are opened by Windows Script Host (WSH) and are designed to allow a variety of scripting languages to mix within a single file. What makes files with the .wsf extension appealing to cybercriminals, hackers, and other ransomware pushers is that they're not automatically blocked by some email clients and can be launched like a standard executable file.

Having realised that WSF files are less likely to be blocked by anti-malware programmes, ransomware campaigns using the extension type have massively jumped in recent months.

Symantec researchers say 22,000 emails containing malicious .wsf files were blocked in June and that figure had multiplied by almost 100 times by July to 2 million. The figure has remained steady since then, with 2.2 million malicious .wsf files blocked in September.


The rise in ransomware emails using WSF.

Image: Symantec

One of the most recent campaigns which deployed the use of malicious WSF files attempts to use a fake message from an airline to trick the potential victim into installing Locky ransomware.

In just two days in early October, more than 1.3 million emails bearing the subject line "Travel Itinerary" were blocked. The email invites the user to open a .zip file purporting to contain information about a recently booked flight, but instead it contains a WSF file which, if allowed to run, will install Locky on the victim's computer.


A spam email containing ransomware delivered by WSF.

Image: Symantec

It isn't the first time cybercriminals have attempted to use fake booking confirmations or emails pretending to be from travel companies to trick users into installing ransomware.

Nonetheless, the shift towards delivering malicious software via WSF files just goes to show that despite ransomware becoming the biggest cybersecurity threat of the year, those distributing the malicious software aren't resting on their laurels and are keen to find as many ways to infect networks as possible. Indeed, ransomware has even found a way to distribute itself through the cloud.

While cybersecurity researchers have been able to fight the ransomware threat to some extent with the release of free decryption tools, it's still causing major problems. It's suspected that the cost of ransomware attacks is going to total over $1bn this year -- and researchers warn that the problem is only going to grow.

Read more on cybercrime

        Editorial standards