Facebook Messenger Spreads Feared Ransomware

Bad news: You can now get malware through private messages on Facebook. Worse news: This isn't just theoretical; it's really happening. Worst news: The malware payloads include a particularly nasty strain of ransomware called Locky, for which there is no free decryption program.

The sign outside Facebook headquarters in Silicon Valley.

The sign outside Facebook headquarters in Silicon Valley.

If someone attempts to send you a certain kind of image file, called an SVG file, via Facebook Messenger, you should ignore it — unless it's from a friend, in which case you should tell them that they've been hacked.

Bart Blaze, a security researcher who handles Threat Intelligence for multinational financial services company PricewaterhouseCoopers, documented the danger on his security blog. A friend of his received a strange image file in Facebook Messenger. When Blaze analyzed it, he found that the SVG file — a scalable vector graphics file, a type of image file common in website construction — was not an image at all, but rather a JavaScript attack.

MORE: Best Antivirus Software and Apps

Attempting to open the image would instead direct a user to a YouTube copycat site, which would then prompt the user to install a malicious Chrome extension in order to watch the video. Peter Kruse, an eCrime specialist for the Danish CSIS Security Group A/S, did some digging, and found that the extension paved the way for a malicious downloader called Necumod. Necumod, in turn, could download the Locky ransomware.

Locky, like other ransomware programs, locks up your computer and encrypts your files, then holds them ransom for a Bitcoin payment. At present, security researchers have yet to crack Locky's encryption, meaning users who fall victim to it have little recourse but to fall back on an earlier backup of their hard drives, provided they have one.

The most obvious way to avoid the faulty image file is, of course, to simply not click on it. While Facebook Messenger can indeed display some image files without user permissions, it cannot automatically execute JavaScript programs, rendering the faulty SVG inert without user input. The second most obvious way is to deny the Chrome Extension installation.

Even if you've gone that far, all hope is not lost: You can still uninstall the extension before Necumod infects your system. After that, it's up to your antivirus program, which can hopefully detect and deny Necumod and Locky before they install themselves.

If you missed every red flag and now have Locky on your system, there isn't much you can do aside from wipe your hard drive and be more judicious about strange Facebook images next time.

TOPICS
Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features