What’s Going On?

On 18 February 2016 Symantec found a rather strange piece of software that turned out to be a new variant of ransomware spreading through the web (if you do not know what ransomware is, refer to this). This particular strain – known as Locky – spread through spam emails with attachments at a rate of roughly ten to twenty thousand victims per week between January and March 2016. It’s not necessarily shocking to see viruses spread this way. Email messages with ZIP attachments have been the go-to inoculation strategy since the early 90s. Then, something else happened. Towards the end of November 2016, users on Facebook and LinkedIn began seeing messages sent with image attachments. They seem rather safe, but when opened they revealed a new strain of Locky that would encrypt the system’s files and unlock them only if the victim paid a ransom of anywhere between US$200 and $400. The most shocking part of this was that the virus spread through images rather than conventional executed code.

Not Everything Is As It Seems

Although images are certainly being used to infect people on social media, it’s not quite how it looks! I’ve taken a little bit of a deeper look at the mechanism of Locky and its slippery ways, and it looks like there’s more to the story than a bunch of JPEGs that are “out to get you.” First off, what you’re distributing when you send the malware to someone is the impression that you’re giving someone an image on social media. There’s a flaw in Facebook and LinkedIn’s code that allows certain files to be transferred with the image icon, leading the recipient to believe that they received a harmless picture of someone’s pet cat or new garden. What the recipient actually downloads is an HTA file, a very old executable program for Windows that has been around since 1999 (another item to add to the list of reasons why software in the 90s was completely bonkers). Basically, HTA applications are like EXEs except they are layered on top of “mshta.exe” and were used by administrators to rapidly make changes to systems. Since they have the full “trust” of the system they are running on, they are free to wreak any amount of havoc that their code allows them to.

How to Prevent Infection

Once you’re infected with Locky, there’s not much you can do except hope you find an anti-malware application that can remove it while you’re booted in Safe Mode. But preventing the infection in the first place is rather easy. When you receive an image file on Facebook, and it doesn’t have a preview like the image below, then you’re probably going to be prompted to download it.

Once you’ve downloaded the file, check its extension. If it doesn’t say JPG, JPEG, PNG, or anything that looks like it’s an image, it’s probably a virus. We’ve seen Locky in HTA format, but it could also appear in other types of executable codes (.COM, .PIF, .SCR, .CPL, .JAR, .APPLICATION, .EXE, .MSI, etc.). Just keep an eye out for file extensions and be wary of anything you don’t recognize. One surefire way to check whether the file you received is an image is by seeing if Windows Explorer gives you a preview when you change the display style to “Large Icons.” Have any other nifty pieces of advice to share? Tell us in a comment!