Tag Archives: WSF

SyncCrypt: Getting the Ransomware Picture?

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

David Harley