Security Alert: Ransomware attacks via Facebook Messenger using Google Chrome extensions

ransomware A new wave of Ransomware targeting Facebook and Google Chrome users is in the public spotlight. Cybercriminals are attacking their victims by sending malicious Scalable Vector Graphic (SVG) images over Facebook Messenger. Facebook users can be easily fooled as the message seems to be sent from one of their FB friends.

Why SVG files?

Most hackers prefer using SVG files for spreading malware due to the SVG capability to embed content such as JavaScript and run it in a modern browser. Hackers embed their malicious JavaScript code within the SVG file.

How does it work?

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a SVG file.

What happens if Facebook users click on the image?

They will be redirected to a fake Youtube website (with a dubious URL) and will display a popup asking users to download and install codec, a Google Chrome extension.  By downloading and installing this extension, you allow the cyber-attackers to infiltrate your PC or device and take control of the entire network.

In some cases, the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky Ransomware. An executable is downloaded from a remote server and is run on your computer. The Locky Ransomware malware will begin to encrypt all the files on your computer or device and within the network.

How can you protect your business against this threat?

What should system administrators, C-level executives and other information security personnel do?

Locky Ransomware is a serious threat to your business, as it encrypts even your network-based backup files. Therefore, it is imperative to alert your employees to this crypto-virus and educate them how to avoid getting infected.

Educate your employees to think twice before clicking on SVG files and teach them how to remove Google Chrome extensions if they accidentally click a malicious file: