locky-ransomware

Short Bytes: The notorious hackers are using Facebook messenger to spread dangerous Locky ransomware. They are sending malicious .SVG files in Messenger to lure the users into downloading further malware. The users need to immediately check their Chrome extensions and look for suspecting entries. They are also advised to change the Facebook passwords.

Security researchers have discovered an attack that makes use of your Facebook Messenger to spread Locky malware. In a short period of time, Locky has become one of the favorite ransomware tools of spammers. It usually spreads via spam emails with a disguised downloader.

This attack was first discovered by malware researcher Bart Blaze. Surprisingly, the malware manages to bypass Facebook’s file extension filter.

The hackers are spreading this ransomware using an .SVG image file. So, if you receive one that looks like the one shown ahead, avoid clicking it. I myself got this ransomware in my inbox via a friend.

rocky-ransomware-facebook
Malicious image in Facebook

How does an image carry Locky ransomware?

For those who don’t know, an .SVG file is an XML-based vector image with support for animation and interactivity. This means that one can embed content, like JS, in the file. The file being shared here is a heavily obfuscated script that redirects one to a shady website, prompting one to download an additional extension.

rocky_ransomware_1
Shady website with extension download notice

It looks like this malware is used to download more malware on a system. The security researchers have found Locky ransomware as payload in their investigations.

rocky-rasnwomware-file
Contents of .SVG file

Remove the malicious extension immediately:

The extension has no icon, so it might seem invisible. It can have one of following descriptions:

One ecavu futolaz corabination timefu episu voloda
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum

The users are advised to open the Extensions list from Chrome menu and look for the description. Now, simply clicking on the remove button will delete it.

One must change his/her Facebook password and run a deep antivirus scan. You are also requested to share this news with your friends and make them aware.

Join Fossbytes Academy to kickstart your hacking career today

Did you find this article helpful? Have something else to add? Don’t forget to drop your feedback in the comments section below.