There is a new ransomware that is spreading like a wild fire across Facebook and LinkedIn, via graphical file sharing. This new ransomware, Locky, is able to be distributed through social media sites by making use of a new attack vector known as ImageGate.
Some of the researchers from Check Point have stated that Locky understands the vulnerabilities within the treatment of images from Facebook and LinkedIn. It will then use that to its advantage, thus forcing users to download the image. The downloaded image is infected with a series of malicious codes that will eventually hijack the victim’s PC once the user opens the image. Once the image is opened, the ransomware then creeps through the entire system, encrypting all files. Only the hacker(s) will keep the encryption key until a payment from the victim is received.
Dikla Barda, a Check Point research member wrote that “the attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.”
Locky will encrypt your files, proceeding then to add a .locky file extension to your files. Once infected, the Locky will ask for 0.5 to 1 BitCoin, typically $210 to $400 USD in order to get the key so you can unlock your own computer.
Up until recently, one of the more common ways of falling victim to a Locky installed on your computer was through email campaigns. Several of these campaigns had been disguised as an invoice, thus forcing you to download the image, thinking that you are paying for something. If you are using Symantec for your antivirus, Symantec will detect the malicious image as W97M.Downloader. If you allow this macro to run on your computer, it will instantly install the Locky malware on your computer.
Naturally, we are here not to learn about this nasty malware, but to get rid of it without having to pay, right?
To start this progress, restart your computer and press F8 several times until you get the WAOM (Windows Advanced Option Menu). Select the Safe Mode with Networking option.
For Windows 8 & 10 users, go to the Start Screen and type “Advance.” From there, click on the Advanced Startup Options and then open General PC Settings. When you click on “Restart Now” you will automatically restart your computer into the WAOM. Now you can press on Troubleshoot, followed by Advanced Options. It is in this screen that you can click on Startup Settings and click Restart. Now press F5 in order to get into the Safe Mode of Windows 8 and Windows 10.
Now that you are in your Windows using SafeMode, log into the infected account by the Locky virus. You should be able to open up your web browser and download a copy of any legitimate antivirus software. I recommend Panda Security, myself.
For those that cannot boot into safe mode, and don’t care about personal/private files being deleted, you can also perform a factory reset, or just reinstall Windows, all over again.
This article (New Ransomware Spreading Through Facebook and LinkedIn) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com