We warned you yesterday about this ransomware attack that is being deployed through Facebook Messenger. We know that the attack is launched through a Scalable Vector Graphic (SVG) image file that directs to a fake YouTube site. This fake site then prompts the victim to install a Chrome extension that is actually a malware downloader called Necumod, which would be used to download the Locky ransomware.
Locky ransomware is one of the most virulent strains of ransomware out there since its encryption is yet to be cracked. Once a computer is infected, it locks and encrypts important files in exchange for a ransom payment, often with the use of Bitcoin as a currency. Since there are no decryption tools available, victims will have to pay the ransom or restore from a backup to recover their files.
If you are accessing Facebook Messenger at work, be extra vigilant since Locky is particularly devastating in the workplace. Traditionally deployed via fake email phishing scams, it has victimized hospitals, government offices, schools and businesses all over the world. It can totally cripple an entire office by spreading through local network shares, file servers, and removable drives, locking all sensitive files in its path.
In response, although Facebook confirms that there are Nemucod infections spreading through Facebook Messenger, they are not massively spreading Locky as initially reported.
As a Facebook spokesperson told Threatpost:
"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."
Even so, a Nemucod infection is still a cause for concern. According to Bart Blaze, the researcher credited with discovering the campaign, aside from stealing Facebook credentials, this malicious Chrome extension is likely downloading other malware, not just Locky, to infected machines. It is vital that you remove this Chrome extension immediately.
Another concern is that this infection vector can currently bypass Facebook's filters. If this present spam campaign can easily slip through Facebook Messenger, this definitely won't be the last.
So be extra vigilant and be wary of any files sent to you via Facebook Messenger, even from a trusted friend.
If your Facebook friends do send you questionable files, please inform them immediately. Their accounts may have been compromised and it is best to have them review their Facebook login credentials as soon as possible.
What you should do
To recap, here's how to prevent this attack:
- Do not click on an SVG file - If you get one of these messages through Facebook Messenger, do not click on the photo.
- Warn your friends - If you get a message with the SVG file, more than likely your friend has been hacked. Let them know immediately so they can warn others not to click on the malicious link.
- Deny Chrome Extension - If you do click on one of these SVG files by mistake, you still have time to avoid the ransomware. When you are directed to the fake YouTube site and are asked to install the Chrome Extension, do NOT do it.
- Remove the extension - If you went as far as installing this malicious extension, remove it immediately. Here are the steps to remove it:
- On your browser, click Menu.
- Select More Tools >> Extensions.
- On the extension you want to remove, click Remove from Chrome. It's the button that looks like a trash can.
- A notice to remove the extension will appear. Click Remove.
- Protect your gadget with internet security software