Most of the time we became excited when we hear a Facebook notification about the new message. Our friend was excited on Sunday as well before he realized that the message was suspicious. He received a .svg picture without any explanation, and it smelled a bit fishy. His friend is not one of those users who sends lots of pictures just for fun. Besides, Facebook always shows a full or a part of the pictures. This time it looked like a link. He thought it’s just another version of the Facebook virus. Curiosity killed the cat, and he clicked on received picture. He ended up on the website that looked identical to YouTube where he was asked to install a necessary extension to watch the video. This seems suspicious, right?
Indeed, this SVG file hides a Nemucod Trojan which is responsible for installing and executing infamous Locky virus. Finally, hackers managed to step in Facebook and launched the first ransomware distribution campaign on social media. Malware spreads via previously mentioned SVG file which is known as XML-based vector image that allows adding JavaScript. As we already explain, when the victim clicks on file, he or she is redirected to the website that looks like YouTube but has different URL. Honestly, who looks to URL bar? We are all interested in the content! However, this bogus site asks to install “Ubo” or “One” extension, and if users agree to do it, ransomware infiltrates the system, starts encrypting personal files and spreading the malicious message to all Facebook friends. After a couple of minutes you receive a ransom note, and after several hours or days, you can expect your friends start blaming you for spreading viruses and causing them problems.
The realization that Locky can reach computer users even in such a small European countries like Lithuania gives us a feeling that it’s impossible to hide from ransomware. The developers are still working hard and looking for various ways to infect computer users worldwide. Therefore, you should be careful and backup your files!