Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

New ransomware hidden in photos


Emails have been circulating that purport to be sending court orders and contain a file attachment with the extension WSF. This should set off alarm bells. The purpose of these spam emails is to distribute malware: A new blackmail Trojan called SyncCrypt is in circulation. The file extension WSF stands for Windows Script File. These script files are similar to the old BAT files and can be executed in exactly the same way. However, the WSF format is much more flexible and can contain various script languages e.g. Visual Basic Script, JavaScript, or Python. As a result, these files are hard to check using virus scanners and are especially suitable for malware.

But the new malware goes even further in order to conceal itself, according to a report by security experts from IT company Emsisoft on the BleepingComputer website. The small script programs are used to download a photo into which a ZIP archive containing the actual malware is embedded. Thanks to the multiple levels of concealment, the malware goes virtually undetected by anti-virus software (AV).

Files hit by the malware are encrypted and stored with the additional extension .KK. So far there is no known way of decrypting the files again. The blackmailers are requiring victims to pay a ransom of around USD 400 in bitcoins. But no-one knows yet whether the files can actually be decrypted subsequently. The best protection against blackmail Trojans and other malware is still to do regular backups. Some vendors of security software have also developed a special ransomware protection. But the same principle applies: Never open email attachments from an unknown sender.


You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.

To register for the newsletter