User reports of a new type of ransomware virus used by hackers on Facebook Messenger surfaced over the last couple of days. The malicious software received the codename ‘Locky,’ and it works by exploiting one of Facebook’s less-known vulnerabilities.
‘Locky,’ according to various sources, first appears from a malicious Scalable Vector Graphic, or .svg, file users receive on Facebook Messenger.
When they click it, they are told to install a particular software on their computer that scrambles their data and asks for payment to restore it.
On Thursday, researchers at the Israeli security firm Check Point released a detailed report of a new attack vector (a hacker’s modus operandi) called ImageGate.
This technique allows computer thieves to embed malware on an image file they later share with an unsuspecting victim. Check Point believes this is how hackers spread ‘Locky.’
How does ‘Locky’ work?
‘Locky’ works by luring users into clicking an image file, which is arguably a tad better looking than a faceless file with a weird extension. Computers quickly recognize SVG files, which makes them look pretty average.
After clicking the image, it redirects the user to a fake YouTube site that tells the user to download a codec to watch a video. When the user agrees, it installs a downloader called Necumod that later downloads, installs, and runs the Locky malware.
‘Locky’ manages to encrypt most files quickly on a hard drive, denying users access to it. Then it prompts the user to pay or lose all their data. Reports note hackers usually asks for around half a Bitcoin ($200-400) in ransom.
The latest Bitcoin Price Index is 727.44 USD https://t.co/lzUu2wyPQN pic.twitter.com/BkUFBiF0e2
— CoinDesk (@coindesk) November 27, 2016
Other attacks involving Locky include sending corrupted Microsoft Office documents in email attachments, and various contemporary types of online email phishing.
How to avoid ‘Locky’ in three simple steps
- Users should not download any files with the following extensions, .svg, .js, and .hta. They can also configure these particular extensions to open only with the Notepad software, which keeps Locky from executing in the Internet browser and defeats it.
- Users should keep their Windows computer protected with all the crucial anti-phishing and anti-malware tools and only click on files that come from trusted sources.
- A good way to counter hacking is to contact the sender of an external file through a different medium and check with them if they sent an email.
- Warning friends and family about this specific threat can also help, as well as to check with them if users encounter suspicious activity coming from their accounts.
Source: Check Point / Spectrum