In a short period of time, Locky has become one of the favorite ransomware tools of spammers. It usually spreads via spam emails with a disguised downloader.
This attack was first discovered by malware researcher Bart Blaze. Surprisingly, the malware manages to bypass Facebook’s file extension filter.
The hackers are spreading this ransomware using an .SVG image file. So, if you receive one that looks like the one shown ahead, avoid clicking it. I myself got this ransomware in my inbox via a friend.
How does an image carry Locky ransomware?
For those who don’t know, an .SVG file is an XML-based vector image with support for animation and interactivity. This means that one can embed content, like JS, in the file. The file being shared here is a heavily obfuscated script that redirects one to a shady website, prompting one to download an additional extension.
It looks like this malware is used to download more malware on a system. The security researchers have found Locky ransomware as payload in their investigations.
Remove the malicious extension immediately:
The extension has no icon, so it might seem invisible. It can have one of following descriptions:
One ecavu futolaz corabination timefu episu voloda
Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum
The users are advised to open the Extensions list from Chrome menu and look for the description. Now, simply clicking on the remove button will delete it.
One must change his/her Facebook password and run a deep antivirus scan. You are also requested to share this news with your friends and make them aware.