Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

New Manoeuvres to Deliver Ransomware and Avoid Anti-Virus Detections

New Manoeuvres to Deliver Ransomware and Avoid Anti-Virus Detections

New Manoeuvres to Deliver Ransomware and Avoid Anti-Virus Detections

In the modern age, groups of anonymous hackers are utilising new tactics to deliver and compromise remote target systems. The traditional system of using email attachments as a way to distribute these tactics is still being widely used, and considered to be the main way of targeting victims.

So, the question is, what have the hackers developed in order to keep using email attachments to distribute this ransomware, whilst at the same time, being able to avoid the sophisticated email security tools, such as AV, etc.?

Mayank Blog Image

In order to be successful in their mission, modern day hackers are using attachments consisting of Windows Script Files (WSF) to distribute the ransomware. In the functionality of Windows, these WSF files are opened through Windows Script Host (WSH). These allows multiple types of scripting languages to combine within a single file.

So, why is this new methodology appealing to hackers?

The reason behind this new tactic is that these WSF file attachments are not automatically blocked by some email clients. The reason for this is because these attachments lists as a standard executable file. This offers an advantage to the cyber criminals and has allowed them to inflict ransomware to many target systems, within many organisations.

New Mail Image

Over the past few months alone, it has been estimated that over 20,000 emails have been found containing these malicious WSF files. In the last year, many of the systems that have been compromised have been hit through ‘Locky’ sending these files as an attachment bearing the subject as ‘Travel Itinerary’. Within these emails, the user is invited to open the .Zip ‘Itinerary’ file. This .Zip attachment contains the WSF file and, if allowed to run, will automatically install ransomware on the end-users device.