Ransomware distributed through Facebook image files
Fri 25 Nov 2016
Researchers have discovered a new method for the malicious distribution of ransomware. This new attack vector, named ImageGate, uses image and graphics files to distribute malware through two social media platforms, Facebook and LinkedIn.
While it was known that ransomware was spreading through social media sites, security experts were unsure how it was being delivered. Now, researchers at Israeli firm CheckPoint Security discovered that the authors of the ‘Locky’ cyberattacks, which have been permeating social media, had uncovered a flaw in the infrastructure of these platforms that causes a user to download ransomware embedded in an image or graphics file.
As soon as the end user clicks on the image to view it, the ransomware is executed.
The newly-discovered flaw in platform infrastructure explains how attackers are able to deliver the ransomware to the end user.
In addition to uncovering the attack vector ImageGate, the security team at Checkpoint has found a new variant of the Locky ransomware. The files are now disguised as .TDB files, most likely in an effort to evade security measures that are being put in place to stop known infection chains.
The new Locky also differs from previous versions in that it can make a request for different amounts of ransom from different users. While the default amount requested to release a user’s files is still 3 bitcoin, the new variant changes the amount requested from different users within the range of 0.5 – 3 bitcoin. The new Locky variant seems to take into account user characteristics including the number of encrypted files on the hijacked machine.
Users wishing to avoid Locky ransomware should remember not to click on an image file distributed through social media. Legitimate image files on these platforms should always be automatically displayed without the need to download the file. Now that the known attack vector is image files, users should not download files with unusual extensions such as .SVG or .TDB.