It's using a type of email attachment that most providers don't screen for.
ZD Net Explains:
Ransomware groups have evolved yet another new tactic in their quest to infect victims with malicious file-encrypting software, including those behind the notorious Locky campaign.
Email remains very much the main delivery method of ransomware but over the last three months there's been a shift in tactics, with cybersecurity researchers at Symantec spotting a sudden surge in Windows Script Files (WSF) used to distribute ransomware.
WSF files are opened by Windows Script Host (WSH) and are designed to allow a variety of scripting languages to mix within a single file. What makes files with the .wsf extension appealing to cybercriminals, hackers, and other ransomware pushers is that they're not automatically blocked by some email clients and can be launched like a standard executable file.
