BEWARE! HACKERS ARE SPREADING LOCKY RANSOMWARE USING FACEBOOK MESSENGER

Beware! Hackers Are Spreading Locky Ransomware Using Facebook Messenger

Security researchers have discovered an attack that makes use of your Facebook Messenger to spread Locky malware. In a short period of time, Locky has become one of the favorite ransomware tools of spammers. It usually spreads via spam emails with a disguised downloader.

This attack was first discovered by malware researcher Bart Blaze. Surprisingly, the malware manages to bypass Facebook’s file extension filter.
The hackers are spreading this ransomware using an .SVG image file. So, if you receive one that looks like the one shown ahead, avoid clicking it. I myself got this ransomware in my inbox via a friend.
rocky-ransomware-facebook
Malicious image in Facebook

HOW DOES AN IMAGE CARRY LOCKY RANSOMWARE?

For those who don’t know, an .SVG file is an XML-based vector image with support for animation and interactivity. This means that one can embed content, like JS, in the file. The file being shared here is a heavily obfuscated script that redirects one to a shady website, prompting one to download an additional extension.
rocky_ransomware_1
Shady website with extension download notice
It looks like this malware is used to download more malware on a system. The security researchers have found Locky ransomware as payload in their investigations.
Contents of .SVG file

REMOVE THE MALICIOUS EXTENSION IMMEDIATELY:

The extension has no icon, so it might seem invisible. It can have one of following descriptions:
One ecavu futolaz corabination timefu episu voloda
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum
The users are advised to open the Extensions list from Chrome menu and look for the description. Now, simply clicking on the remove button will delete it.
One must change his/her Facebook password and run a deep antivirus scan. You are also requeste

Comments