Locky ransomware spreading on Facebook cloaked as .svg file

khushaartanveer@gmail.com' By: Khushaar Tanveer
3 minute read

Spamming and ransomware are the most common forms of cyber crime encountered today. FBI records suggest that there has been $1 billion of money secured by cyber criminals in 2016 alone. As dangerous and untraceable as these crimes may be, encountering them on well-known, trusted sites make them even more perilous. This time, spammers have targeted Facebook.

Facebook has been marked quarantine after falling prey to a ransomware attack that has spread like wildfire over the social network. The notorious spam campaign involves the spreading of the Nemucod malware downloader among users, which in some cases was seen downloading the Locky ransomware. To make it even worse, there is no free decryption program available for Locky.

Locky ransomware is known to lock up an infected computer, encrypt its files then hold them ransom for a Bitcoin payment. There is still no concrete solution developed for Locky’s encryption so users have little hopes of ever recovering the damage.

The threat was spotted by two security personnel specialized in internet-based crime and malware, Bart Blaze. who handles Threat Intelligence for multinational financial services company PricewaterhouseCoopers and Peter Kruse. an eCrime specialist for the Danish CSIS Security Group A/S. The peril was generated in the form of spam messages spread via Facebook’s IM system.

The virus evaded Facebook’s whitelisting by pretending to be a .SVG image file and was sent from compromised Facebook accounts. The infected files, unlike other common file types, have the ability to contain embedded content like JavaScript and can be opened in a modern browser. The reason the crooks opted to share SVG images is because it is XML-based and allows dynamic content so it was easier to cloak JavaScript code right inside the photo itself, which in this case was a link to an external file.

Opening the infected file redirects users to a spammy site, a copycat version of YouTube. The website doesn’t raise any red flags until it prompt users to install a malicious codec Chrome extension in order to watch the video. Upon allowing, the unsubstantiated extension will give it the capability to alter user’ data regarding the sites they visit.

As reported by Blaze, the extension will also spread the malware further on Facebook, compromising the victim’s account. The spammers can take over your account and further spread the malware among your social media friends by sending them spammy messages with the same SVG image file.

Safety Measures

For starters, and this one is pretty obvious: do not click any SVG file. If your close ones send you a message with the ransomware attached, you should warn them ASAP about their account being compromised.

Deny installing the Chrome extension and even if you do somehow click on the SVG file, one way to revert it is to go to the menu, navigate to ‘Extensions’ via Select More Tools, find the extension and then remove it before Necumod infects your system.

The next step would be to download a powerful internet security software. System Watcher is one of the most reliable tools to tackle the problem, developed by Kaspersky Lab. System Watcher is available on all of Kaspersky Lab’s main products like Kaspersky Anti-Virus, Kaspersky Internet Security, and the ultimate in computer security, Kaspersky Total Security.

But if you have gone past this, the safety ship has sailed and the most you can do now wipe your hard drive to get rid of the Locky ransomware and be more judicious about strange Facebook images next time.


For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).


Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading