Over the past couple days, the interwebs have been abuzz with the spread of a ransomware that isn’t affecting your desktops via browser or OS-based vulnerabilities. Instead, the said image-based malware is said to spread through some of our most trusted sources on the Internet including social networks Facebook and Microsoft-owned Linkedin.
This infection, discovered by Check Point researchers, is said to be a variant of the renowned ransomware Locky. The security firm has discovered that hackers are using the capability to embed malicious code into an image or graphics file and successfully upload it to social media websites. They further point out that these intruders then exploit a misconfiguration on these websites to trick the browser and deliberately download the image to your desktop.
Now since we use these social networks on a daily basis, we’ve developed immense trust towards them. Thus, we don’t question the integrity of the maliciously coded file and open it without a second thought. Just as you click to open the downloaded file, the ransomware goes live and automatically infects your entire system. The executed malicious code encrypts all the files on your system and they remain locked until you pay the intruders.
In the case of the Locky ransomware, once users download and open the malicious file they receive – all the files on their personal device are automatically encrypted and they can only gain access to them after the ransom is paid. The industry estimation is that the campaign is still raging and accumulates new victims every day,
reads the blog post.
Taking cues from Apple’s infamous BendGate, Check Point is referring to the ransomware deployment as ImageGate. The security firm says that it had intimated both the social networks about the same in September. But it still isn’t clear if LinkedIn and Facebook have responded to the said vulnerability because the social media giant links the spread of these malicious images to really “bad Chrome extensions.” The social networking giant believes that these extensions are propagating these images and the company has blocked access to them several days ago.
In the official statement, the Facebook spokesperson says,
This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.
Though the social media networks have already started taking the necessary steps, Check Point still intimates you to protect your info from the image-based malicious code simply by not opening the downloaded file. In addition, the security firm also advises you to not open image files with unusual extensions such as SVG, JS or HTA.