WSF Files On The Rise

WSF Files On The Rise cabinet

Like many scripting and development languages, Windows script files (WSF) can be a powerful tool when used for good. Unfortunately, when it’s in the hands of an attacker, it can be used to create malicious WSF files with the purpose of creating malware. One example of this is the recent proliferation of “Locky”.

Locky Is Spreading

Millions of spam emails have been sent to spread the Locky ransomware. Back in October, 1.3 million emails were sent with the subject “Travel Itinerary.” These emails contained a WSF attachment within a zip archive.

In another example, a similar email was sent with “complaint letter” as the subject. In this case, the email was said to come from a client and contain the text “regarding the data file you provided.”

A third example of an attack was a fictitious notification about a series of “suspicious bank operations” that was detected by an account manager with the US Office of Personnel Management.

“Dear [NAME], Carole from the bank notified us about the suspicious movements on our account. Examine the attached scanned record. If you need more information, feel free to contact me.”

In this case, the Locky ransomware is impersonating an OPM representative and targeting government contractors who potentially had their information stolen.

With each of these examples, if the zip archive was opened and the file successfully ran, it installed the Locky ransomware on the computer. After installation, the malware encrypts the files on the machine.

Why Did They Use A WSF File To Spread Malware?

Many email clients automatically block a standard executable (.exe) file. However, in some cases, they will allow a WSF file to be downloaded and run. This allows the script to get around the internal security built into many email programs. Another factor is while many users have been told not to download and run executable files, they’re not familiar with the WSF extension and are therefore more likely to run it.

Exploits Are Constantly Changing

It’s a common practice to change the format of attachments within spam campaigns in an attempt to stay ahead of the security vendors. For example, the Locky ransomware has been seen with both WSF and JavaScript attachments. So far, at least 10 different downloader variants have been found.

How To Protect Your Business From Ransomware Like Locky

Protecting your business from ransomware involves the following:

  • Use up-to-date endpoint protection software
  • Backup your files so that if your machine becomes infected with ransomware it can be restored
  • Make sure your operating system is kept up-to-date
  • Provide proper training for employees on malware
    • These can include being wary of any attachments that they are not expecting from a person.
    • Even if they know the person and get an attachment they aren’t expecting, ask them to contact them by phone and ask if they sent the attachment.
  • Make your employees aware that attacks can come from a variety of attachment types (including some not listed here) and they should be cautious before opening any attachment.


The creators of ransomware are getting more creative every day and are highly motivated by a possible payday. Improving education about the potential dangers, backing up your files, and making sure your endpoint security protection is up-to-date are some of the best ways to reduce the risk.