Windows Script File (WSF) attacks are on the rise as one of the most popular attack vectors for the spread of ransomware and malware, but they could be easily prevented.
WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by many email clients and can be launched like an executable file.
Symantec has seen a major increase over the past three months in the number of email-based attacks using malicious WSF attachments.
Organised ransomware “groups”, cyber-criminal families, in particular, have been employing this tactic. On 3 and 4 October alone Symantec blocked more than 1.3 million “Travel Itinerary” emails purported to have come from a major airline, carrying the Locky payload (Ransom.Locky) within the malicious WSF files.
{loadposition ray}
On 5 October, the same group launched another massive malicious spam campaign with the subject line "Complaint letter." Symantec blocked nearly a million of these emails. The email purported to come from someone representing a client who was making a complaint "regarding the data file you provided." As usual, the emails came with an attachment comprising a WSF file within a .zip archive. Unlucky readers installed Locky.
The use of WSF files has been escalating – from 22,000 in June, to more than two million in July and 2.2 million in September. WSF is the preferred attack vector at the moment, but cyber-criminal groups frequently switch attack vectors.
Protection
WSF may use Microsoft Office's macro feature which is enabled by default. Switch macros off unless you absolutely need them. Go to the Trust Centre and disable all macros.
But there is a little more to good security.
- Enable automatic operating system and Office suite updates to keep them patched against known vulnerabilities.
- Ensure that the default setting for macro security on all Microsoft Office products is set to high.
- Configure anti-malware software to automatically scan all email and instant message attachments.
- Ensure email programs do not automatically open attachments or automatically render graphics, and turn off the preview pane.
- Use increased caution when opening attachments, especially when those attachments carry a .doc or .xls extension.
- Never open unsolicited emails or unexpected attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.