Locky is ransomware which is embedded in jpegs and other images.
An Israeli security firm called Checkpoint has dubbed a new outbreak of ransomware as “ImageGate”. They’re now warning of dangerous malware which spreads through social media platforms as images that lock your computer when clicked. The software responsible is called “Locky” and was discovered earlier this year. It encrypts the user’s files and then demands a ransom in order to unlock them again. The price being demanded for a key is 0.5 bitcoins, valued at roughly $365.
It was reported by Hacker News earlier this week that a Facebook spam campaign was spreading Locky through .svg files; something which Facebook denied. Now Checkpoint is saying that the malicious software is being spread through multiple file formats on multiple social media platforms, including Facebook and Linkedin. The security firm says social media sites are being targeted because they’re usually white-listed.
“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” said Checkpoint in a statement. Once the malicious file has been opened, every folder on your computer will appear empty except for a text file which directs the user to servers on the anonymising Tor network where the user can make a payment.
Checkpoint says they warned Facebook and Linkedin of the ImageGate threat back in September, but so far, the platforms seem to have been unable to stop the spread. As such, users need to remain vigilant. If you click on an image and it downloads automatically, do not open it. Any social media site should be able to display a picture without downloading anything. If you do happen to download a file, even one you assume to be harmless, be weary of file formats like .svg, .js or .hta
The security firm has also released a video shedding some more light on how Locky works, which you can see below.