Locky Ransomware Images Are Spreading via Social Media
The suspicious images represent a new "ImageGate" attack vector for the Locky ransomware, according to a Thanksgiving Day blog post by security company Check Point. By exploiting a misconfiguration in social media sites, malicious actors can embed the ransomware code into image files that they then post on social media sites.
After clicking on and downloading these image files, users will discover that all the files on the affected devices are automatically encrypted and inaccessible to them. The only way they can unlock their files is by paying a ransom to the hackers responsible, Check Point warned.
Exploiting Social Media 'White Listing'
Check Point researchers Roman Ziskin and Dikla Barda said they discovered how ImageGate works while investigating the recent "massive spread" of Locky ransomware via social media sites. Released earlier this year, Locky has been blamed for numerous attacks, including one in which a California hospital had to pay a ransom of about $17,000 in bitcoin to unlock its files.
The latest spate of Locky attacks spread via a Facebook-based campaign, according to Ziskin and Barda. Other social networking sites such as LinkedIn have also been affected, they added.
"Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now," they said. Check Point alerted both Facebook and LinkedIn of its findings early in September, they said.
"As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms," Ziskin and Barda said. "Cyber criminals understand these sites are usually 'white listed', and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."
Ransomware Evolving To Evade Security
Check Point plans to publish further details about ImageGate's workings after the affected social media sites are able to eliminate the vulnerabilities that allow such ransomware to be distributed via their platforms, according to Ziskin and Barda. This will help prevent other hackers from taking advantage of those vulnerabilities.
In the meantime, Check Point recommends that users avoid clicking on and downloading suspicious files that appear on social media sites and elsewhere as links rather than regular pictures. The company is warning people to be especially cautious about image files with unusual extensions such as .svg, .js or .hta.
New variants of the Locky and Cerber ransomware appeared in the wild last week, according to Check Point. "The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected," the company's threat intelligence team said in a separate blog post on Thanksgiving.
Cerber is spreading primarily through spam email campaigns and exploit kits, while Locky has been evolving in other ways to evade existing security checks. The ransom payments being demanded via Locky are also changing, with payment amounts that can vary "in correlation to the victim's characteristics, especially number of encrypted files."
While Locky imposes a default ransom payment of three bitcoins, the lowest demand to date has been 0.5 bitcoin, according to Check Point.