Facebook’s instant messaging may have just become more dangerous than ever before as the virus experts have come across a trail of the infamous Locky virus spam campaign. For the whole year of 2016 Locky ransomware was among the top of the world’s leading cyber infections. And it seems that sadly, this tradition will drag on for even longer. Its developers seem tireless in inventing new ways of spreading this extremely destructive program around. Just recently, the virus distribution has boomed drastically after the RIG-E exploit kit was brought into play. Locky developers have also tested the system infiltration paths employed by potentially unwanted programs and implemented ransomware’s malicious script into the fake Flash Player updates. Now, the virus creators seem to be turning the attack force towards social networks, namely Facebook.
The Facebook platform has always been in the interest of malware creators and distributors. There are numerous versions of the Facebook virus that have been rapidly appearing one after another since early 2014. Some of these malicious programs were created solely for malvertising purposes, others were aimed at phishing account logins and online banking information, while the rest seem to have been created merely to annoy people. However, ransomware has ever made its appearance on this social networking website. Well, this situation is about to change as Nemucod Trojan already began spreading via Facebook’s private messages. This virus arrives into the user’s inbox as a vector file called photo_4837.svg, photo_999.svg or photo_8470.svg. It is usually sent through some already infected account on the targeted victim’s Facebook friend’s list, so it is often clicked without hesitation. After interacting with the malicious link, the user gets immediately redirected to a suspicious page that imitates Youtube but which is actually based on a completely unrelated kerman.pw/?fb_dsa domain. This newly appeared page quickly drops a notification urging the user to allow the extensions called “Ubo” or “One” to install on the browser. Once there, these extensions allow the hackers gain all the browser administration privileges and they can continue the system hijack by downloading Nemucod Trojan on the computer. Though this malware downloader can be used to secretly deploy any virus or potentially unwanted program on the infected computer, it currently focuses on Locky distribution, so having it reside on the PC is extremely dangerous!
Do not wait till Nemucod downloads Locky on your computer. Scan your device with antivirus regularly and eliminate all the vulnerabilities that can allow treacherous applications corrupt your personal data or computer system. To keep your files completely safe, don’t forget to make backup copies and store them somewhere safe.
UPDATE: Locky virus is still actively spreading around on Black Monday. According to security experts, Facebook and Linkedin (!) social networks haven’t fixed their vulnerabilities, so you can get infected when visiting them. To avoid the malicious downloader used to infect system with Locky ransomware, you still need to be careful with image files sent to your via messenger. At the moment of writing, there are three extensions used by hackers – .svg, .js or .hta. You may be tricked that you are downloading .jpg image because infected files are usually named as image [random numbers].jpg.hta or [random numbers].jpg.svg.