Locky ransomware being spread via Facebook Messenger

Clicking on a fake image attachment allows the malware to be downloaded

Facebook Messenger is being used by spammers to spread Locky ransomware.

The attack methodology was discovered by malware researcher Bart Blaze, and has been acknowledged by Facebook. It uses Facebook Messenger to spread a malware downloader called Nemucod that takes the form of an .SVG image file.

Locky is a strain of Dridex banking malware. Earlier this year a Locky attack hit a hospital in the US, which had to pay $17,000 in bitcoin to decrypt important data.

As with other ransomware, once activated Locky encrypts files including images, videos, source code and Office files on the infected machine and connected local networks before issuing a ransom demand for payment in bitcoin for them to be decrypted. In this case payment is requested via a site on the "dark web".

The advice, as always, is to double check before clicking on a link or opening an attached file.

"As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave," said Blaze on his blog about the issue.

"Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen."

Facebook told Computing's sister site The INQUIRER that it is looking into ways to tackle the issue. It suggested that the root cause might lie with a poorly implemented extension for Google's Chrome browser.

"We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform," said a spokesperson.

"In our investigation, we determined that these were not, in fact, installing Locky malware-rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."