WatchPoint Security Blog

Locky Ransomware Infiltrates Facebook Through JPG Images

Written by Jordan Kadlec | November 30, 2016

Cybercriminals are continuously finding new ways to infiltrate users’ systems using ransomware. Researchers have recently discovered that hackers are using .JPG images to distribute Locky Ransomware through Facebook and its Messenger app.

Locky Ransomware

Locky has been around since early this year. It works by encrypting victims’ files and demanding a ransom of around half a bitcoin (about $365) for the decryption key. Previously, Locky relied on a malicious macro in Word documents and spam emails. However, hackers have found a way to distribute the ransomware by embedding a malicious code into a .JPG file and have successfully uploaded it to Facebook. The attacks exploit a misconfiguration in the infrastructure of these social media sites which deliberately forces their victims to download the file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.

In a proof-of-concept video by Checkpoint, an attacker is shown exploiting the flaw in the Facebook Messenger app. By sending an HTA HTML app through messenger disguised as a .JPG, the victim must then click on the attachment, which generates a Windows save file prompt asking the victim to save the .HTA file. Once this occurs, the file is then downloaded onto the computer, unleashing Locky Ransomware on the user’s system.

Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA.

Facebook Denies Ransomware Attack

Facebook responded on Monday, denying that their network and messenger app were being used to distributed Locky Ransomware.

“This analysis is incorrect,” said Jay Nancarrow, a spokesperson for Facebook. “There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook.”

Facebook also notes that they maintain automated systems to help stop harmful links and files from appearing on their site. The company claims that they were already blocking this form of ransomware from their platform. Rather, Facebook claims, Locky was being installed from bad Chrome extensions, and they have reported the issues to the appropriate parties.

Protect Yourself from Ransomware

Either way, for protection against becoming a victim of ransomware, one thing users must remember is to never open a suspicious file. In this case, never click on an image from someone you don’t know or from someone who usually doesn’t send you files like these over Facebook. It’s smart to be a little – maybe a lot – paranoid. As we constantly say, users are always the weakest link in the cybersecurity chain. The majority of ransomware is distributed through negligence on the user’s end. That’s where WatchPoint comes into play.

WatchPoint’s CryptoStopper is an active defense system, employing deception technology to protect networks from ransomware attacks such as Locky Ransomware. At $20/Server/Month, CryptosStopper is an important part of a multilayered network security system.