Are images on Facebook spreading ransomware onto devices?

28 Nov 2016

Facebook. Image:

A new report into the well-known Locky virus has found malware attached to image files on Facebook and LinkedIn, infecting users who download them with ransomware. Facebook denies this.

Check Point researchers claim to have found a Locky ransomware variant doing the rounds on social media, using a unique mode of attack.

Little is known of the attackers, who “exploit a misconfiguration on the social media infrastructure”, forcing users to download an image rather than just view it.

Facebook Locky

The file has malicious code embedded on it already, therefore infecting the users’ devices as soon as the downloaded file is clicked on.

The logic behind using social media as a way to attack users is pretty clever, with Check Point noting how often sites such as Facebook or LinkedIn (both namechecked by the company) are often whitelisted by users.

This ransomware attack has echoes of Locky, and is indeed related. In the case of the Locky ransomware, once users download and open the malicious file they receive, all the files on their personal device are automatically encrypted, and they can only gain access to them after the ransom is paid.

According to Check Point, the industry estimation is that the campaign is still raging and claims new victims every day.

However, Facebook denies that images on its service are hosting this ransomware, telling Engadget in a statement:

“This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook.

“We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.”

Check Point, though, will release its full report “only after the remediation of the vulnerability in the major affected websites, in order to prevent attackers from taking advantage of this information”.

In the meantime, it advises users to not open any image files they are forced to download on social media, as these should be visible without a download. Also, don’t open any image file with an unusual extension (such as SVG, JS or HTA).

Facebook. Image:

Gordon Hunt was a journalist with Silicon Republic