In what is being seen as an imminent attack by Locky Ransomware, certain files on Facebook Messenger are being reported to have downloaded Nemucod Downloader on the victim’s computer and spreading Locky onto the machine.
Bart Blaze, a renowned security expert, recently published this blog where he posted screenshots of the entire attack that is taking place silently on Facebook Messenger. According to him, this malware enters your messenger in the form of a ‘.svg’ file, which is generally used as an extension for vector images. It is an unusual image sharing extension but is easily accessible via all modern browsers.
The advantage of an .svg file is that you can use any kind of content on it (even JavaScript code) and the user will be able to access all of it. Clicking the link takes you to a YouTube-esque web page, which obviously wants you to install an extension before you view the video. The extension has no icon and thus seems invisible and asks for ‘reading and changing the websites you visit’ in Permissions.
Peter Kruse, yet another security expert, took to Twitter to claim that indeed Locky Ransomware was behind the attack and it silently swept into the system upon installing the aforementioned extension. After this discovery, Blaze got in touch with the Facebook and Google teams to inform them about this vulnerability.
Since then, the rogue Google Chrome extensions have been taken off, and Facebook is now filtering messages for SVG files as well. If you seem to be infected with the same malware, you should immediately remove all suspicious extensions from your browsers and run an antivirus check to ensure that nothing is troubling your data.
To prevent yourself from such Ransomware attacks, always think twice before clicking on links, photos or videos that people send you on Messenger. Double check with them before opening these attachments.
