A nasty piece of malware is currently spreading over the internet via Facebook Messenger and I am talking about the Locky Ransomware. Ransomware is a very annoying and distructive malware which if downloaded and installed on the victim’s computer/laptop or whatever, it encrypts/locks all the files using state of the art encryption algorithms. Unless you pay a ransom for getting back your data…well, you’re not getting it back.
The Locky Ransomware spreads via Facebook Messenger in the form and shape of a .SVG image file sent by one of your friends. If you click the respective image, a downloader named Nemucod will take you to a spoofed YouTube website which has a different URL though, yet it looks like the regular YouTube we all know and love. The spoofed YouTube website will push a pop-up which will ask you to download/install a specific codec-extension for Google Chrome that will allow you to watch the video sent via Facebook Messenger.
The Google Chrome malicious extension runs under the One or Ubo moniker and once installed, it will allow the attacker to take over your browser, including your Facebook account, thus spreading the SVG malware to all your friends in the list. Also, the SVG malware (the Nemucod downloader actually) is responsible for installing Locky Ransomware on the victim’s computer and the campaign which is currently ongoing on Facebook was discovered by Bart Blaze, an internet security researcher.
The One/Ubo malicious extensions were already removed from the Store by Google and we just hope that Facebook will take action with regard to the .SVG spam campaign. If you’ve already installed the aforementioned Chrome extensions, you must remove them immediately going to Menu-Tools-Extensions.If you’ve already downloaded the Locky Ransomware and you don’t have a backup, you’re out of luck. To quote from Blaze, it’s best to be cautious than sorry:
“As always, be wary when someone sends you just an ‘image’ – especially when it is not how he or she would usually behave.”