Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.
WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.