On our website, we would like to use the services of third-party providers who help us improve our promotional offerings (marketing), evaluate the use of our website (performance) and adapt the website to your preferences (functionality). We need your consent for the use of these services; you can always revoke this consent. You can find information about the services and the chance to reject them under “User-defined.” You can find additional information in our Data Protection Policy.

Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

New ransomware hidden in photos

© istockphoto.com/400tmax

Emails have been circulating that purport to be sending court orders and contain a file attachment with the extension WSF. This should set off alarm bells. The purpose of these spam emails is to distribute malware: A new blackmail Trojan called SyncCrypt is in circulation. The file extension WSF stands for Windows Script File. These script files are similar to the old BAT files and can be executed in exactly the same way. However, the WSF format is much more flexible and can contain various script languages e.g. Visual Basic Script, JavaScript, or Python. As a result, these files are hard to check using virus scanners and are especially suitable for malware.

But the new malware goes even further in order to conceal itself, according to a report by security experts from IT company Emsisoft on the BleepingComputer website. The small script programs are used to download a photo into which a ZIP archive containing the actual malware is embedded. Thanks to the multiple levels of concealment, the malware goes virtually undetected by anti-virus software (AV).

Files hit by the malware are encrypted and stored with the additional extension .KK. So far there is no known way of decrypting the files again. The blackmailers are requiring victims to pay a ransom of around USD 400 in bitcoins. But no-one knows yet whether the files can actually be decrypted subsequently. The best protection against blackmail Trojans and other malware is still to do regular backups. Some vendors of security software have also developed a special ransomware protection. But the same principle applies: Never open email attachments from an unknown sender.


You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.

To register for the newsletter