One cunning malware which is surprisingly low tech has been seen spreading over the week through a new attack vector, and the problem is worrying security researchers. The malware program works by exploiting some flaws which they see on the Facebook and LinkedIn platforms.
One Israeli security firm, Check Point noted that there are two security flaws which are evident in the Facebook and LinkedIn social networks which would allow one coded image containing a malware to be downloaded on a user’s computer and all by itself. If users notice the file, and they attempt to access it, they unknowingly install the Locky malware onto their computers.
The Locky malware has been present for the better part of this year and it encrypts user’s files, and for ransom demands half a bitcoin for the key to unlock the files. The Locky malware was present before and it usually relied on the macro malware on Word files and then on the spam emails too. However, the Check Point security researchers said that they had witnessed an increase in the number of Locky malware spreads in social media.
The researchers said that they would nit go into full detail over how the malware works on affecting devices until the two companies involved, Microsoft and Facebook actually do fix the patches. In the meantime, users are urged not to open any files that have automatically downloaded themselves onto their devices, and any image file which has some suspicious extensions such as SVG, JS or HTA. They also said that some benign looking images would be able to exploit the many ways that Windows program would hide file extensions.
Security researcher, Lawrence Abraham, wrote back in February that when the Locky malware infects a computer and encrypts some files, it instantly renames the file to a different format. There when the test is encrypted it will then be renamed to something totally different such as F67091F1D24A922B1A7FC27E19A9D9BC.locky. The unique ID might also be input into the end of the encrypted file.
Various analysis showed that the Locky ransomware mechanics is just like that of any other variant which is on the market right now. The malware leaves a signature on each if the files it encrypts and it gives directions to servers which are hosted on the Tor browser, therefore giving victim’s a chance to pay for their files back.
After being contacted, Facebook has noted that the analysis given by the research is incorrect and there is no correlation between Locky or any other ransomware. There is also no connection to either Facebook or Messenger, the company noted and said that from their own analysis they had noticed that the problem emanated from some extensions hosted on the Chrome browser. They have been blocking the extensions for the past week, and they have also done due diligence.