Locky ransomware is now spreading via Flash, Windows kernel exploit(s), malicious DLLs and even images on Facebook and Twitter!1
Note: “Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported”5 though this is technically possible.
Recommendations
In addition to csirt.sanren.ac.za/posts/160302-rm-locky.html
- Educate users on the new risks – “Stop! Think! Connect…”
- Don’t install/execute unknown browser add-ons / extensions especially from unexpected websites (e..g resulting from clicking on an image in a chat message)
- Revisit and verify backup process, systems, etc.
- Ensure that the latest patches are applied for anti-malware, web and email filtering, etc. products in use
Further reading
References
1Trend Micro: Locky Ransomware Spreads via Flash and Windows Kernel Exploits
2The Hacker News: Spammers using Facebook Messenger to Spread Locky Ransomware
3Blaze’s Security Blog: Nemucod downloader spreading via Facebook