Any Facebook message with an image file (.svg format) send by your friend can be a Locky Ransomware file, so just avoid clicking it.
Attackers are using facebook messenger to spread Locky Ransomware

What is Locky Ransomware?

Locky is ransomware released in 2016. It is distributed via malicious .doc files attached to spam email messages ( that was claimed as an invoice requiring payment). There were an attached M.S word document  contains malicious macros.

Impact of Locky Ransomware

When user opens the word document file, it appears to be full of garbage content and it includes the phrase “Enable the macros if data encoding is incorrect”. If the user does enable the macros it download and save an executable binary which automatically run in the background and starts encrypted files of your system with RSA-2048 and AES-1024 algorithm. It is near about impossible to decrypt those encrypted file without knowing exact key.

Attacker may ask for money (0.5 to 1 bitcoin) to decrypt your files.

Why spammers are using .svg file?

Security researcher Bart Blaze, discovered that the attack campaign is uses Nemucod downloader (that take the form of .svg image file) to spread malware via Facebook Messenger.

What is svg file?

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.

Attacker are using .svg file (scalable vector graphics) for spreading the malware because they can embed any content such as javascript to that file. Also any modern web-browser can open this file.

How it works?

As we mentioned above one can embed any content( such as JavaScript) which can be a link to an external file or like a pop up. If clicked, it will download any extension by which attackers can alter your browser data and can spam message to your friend.

scrWhat can be more worse?

Researcher found that svg file contains Nemucod downloader which can downloads a copy of popular Locky Ransomware to your system and encrypt all of your data.

Removal of Malicious extension

The Facebook security team as well as Google Chrome’s store security team have been notified for this malicious activity. Google already has remove this extension from chrome store and Facebook is keep trying to blocking these kind of hacks.

However in case you have enable this extension then remove it using below steps :

  • Go to chrome menu
  • Focus your pointer on more
  • Click on extension
  • Remove all suspicious extensions

Have something to add in this article?? Please share in comments.

Follow us for more reviews,tutorials and tech news on Facebook, Google Plus and Twitter.