Facebook Messenger Spreads Feared Ransomware

Bad news: You can now get malware through private messages on Facebook. Worse news: This isn't just theoretical; it's really happening. Worst news: The malware payloads include a particularly nasty strain of ransomware called Locky, for which there is no free decryption program.

The sign outside Facebook headquarters in Silicon Valley.

The sign outside Facebook headquarters in Silicon Valley.

If someone attempts to send you a certain kind of image file, called an SVG file, via Facebook Messenger, you should ignore it — unless it's from a friend, in which case you should tell them that they've been hacked.

Bart Blaze, a security researcher who handles Threat Intelligence for multinational financial services company PricewaterhouseCoopers, documented the danger on his security blog. A friend of his received a strange image file in Facebook Messenger. When Blaze analyzed it, he found that the SVG file — a scalable vector graphics file, a type of image file common in website construction — was not an image at all, but rather a JavaScript attack.

MORE: Best Antivirus Software and Apps

Attempting to open the image would instead direct a user to a YouTube copycat site, which would then prompt the user to install a malicious Chrome extension in order to watch the video. Peter Kruse, an eCrime specialist for the Danish CSIS Security Group A/S, did some digging, and found that the extension paved the way for a malicious downloader called Necumod. Necumod, in turn, could download the Locky ransomware.

Locky, like other ransomware programs, locks up your computer and encrypts your files, then holds them ransom for a Bitcoin payment. At present, security researchers have yet to crack Locky's encryption, meaning users who fall victim to it have little recourse but to fall back on an earlier backup of their hard drives, provided they have one.

The most obvious way to avoid the faulty image file is, of course, to simply not click on it. While Facebook Messenger can indeed display some image files without user permissions, it cannot automatically execute JavaScript programs, rendering the faulty SVG inert without user input. The second most obvious way is to deny the Chrome Extension installation.

Even if you've gone that far, all hope is not lost: You can still uninstall the extension before Necumod infects your system. After that, it's up to your antivirus program, which can hopefully detect and deny Necumod and Locky before they install themselves.

If you missed every red flag and now have Locky on your system, there isn't much you can do aside from wipe your hard drive and be more judicious about strange Facebook images next time.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.