Who doesn’t love a good scary problem that has a “-gate” suffix? An Israeli security firm has dubbed a particularly nasty outbreak of ransomware “ImageGate” and that will help us all remember that if you receive a random image on your favorite social network, you probably shouldn’t click it.
“Locky” ransomware was first discovered earlier this year. As the name implies, it locks up a victim’s computer by encrypting their files and demanding a ransom of .5 bitcoins (about $365) in exchange for a key. Earlier this week, Hacker News reported that a Facebook spam campaign was spreading Locky through image files in the SVG format. At the time, Facebook denied that this was happening. Now, security firm Check Point says that Locky is being embedded into several graphic formats and spread through “social media applications such as Facebook and LinkedIn.” The firm has put together a helpful video with a laughably ominous soundtrack for you:
Check Point says that hackers have been focused on finding exploits in social networks because they are usually “white listed.” The firm’s research found that hackers have found “a new capability to embed malicious code into an image file and successfully upload it to the social media website.” When a victim clicks on the image, the image is automatically downloaded. When the image is opened, the ransomware automatically locks up all their data and leaves a text file in each encrypted directory. That file points to servers on the anonymising Tor network where the victim can make a payment to get their shit back.
For now, Check Point says that they aren’t releasing full technical details until they know the problem has been fixed. They say they informed Facebook and LinkedIn back in September. Those are the only two social networks that they mention by name but they do not specify if those are the only two that are being used for attacks.
Basically, just know that if you click an image on social media and it automatically downloads you shouldn’t open it. And don’t open image files with “unusual extensions such as SVG, JS or HTA.”
Tell your grandmother it’s called ImageGate. Image. Gate.
[Check Point via Ars Technica]