C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

Locky ransomware is now spreading via Flash, Windows kernel exploit(s), malicious DLLs and even images on Facebook and Twitter!1 2 3 4 :-/

Note: “Facebook has said that some of the Nemucod infections spreading over Facebook Messenger are not dropping Locky ransomware on victims’ computers as was initially reported”5 though this is technically possible.

Recommendations

In addition to csirt.sanren.ac.za/posts/160302-rm-locky.html

  • Educate users on the new risks – “Stop! Think! Connect…”
    • Don’t install/execute unknown browser add-ons / extensions especially from unexpected websites (e..g resulting from clicking on an image in a chat message)
  • Revisit and verify backup process, systems, etc.
  • Ensure that the latest patches are applied for anti-malware, web and email filtering, etc. products in use

Further reading

References

1Trend Micro: Locky Ransomware Spreads via Flash and Windows Kernel Exploits

2The Hacker News: Spammers using Facebook Messenger to Spread Locky Ransomware

3Blaze’s Security Blog: Nemucod downloader spreading via Facebook

4McAfee Labs: Locky Ransomware Hides Inside Packed .DLL

5Kaspersky Lab: Nemucod Infections Spreading Over Facebook