Cyber Attack

This Ransomware Spreading Through Facebook Messanger

Sharing is caring!


It has been reported that a new hacking campaign has emerged which makes use of Facebook Messenger to spread malware downloader belonging to the “Nemucod” family.

It has been observed that the malware belongs to the ransomware family. It is downloaded through FB messenger fake messages. In many cases, “Nemucod” malware downloads Locky ransomware.

It spreads in the form of images having extensions such as “Scalable Vector Graphisc (.svg)” or by means of “HTA HTML app” disguised as a “.jpg” extension.

These images are capable of bypassing the Facebook Defense measures or file extension filters by pretending to be a genuine image file. Such messages may arrive from known /unknown contactscontaining image as an attachment.


The downloader and ransomware is capable of performing the following functions:

  • Upon execution, it will encrypt the contents of the targeted device.
  • Demands ransom amount of money to send the decryption key for the same.
  • Capable of deleting backups and shadow copies of the infected device to disallow restore options.
  • Discovers connected/ mapped networks to spread its infection.
  • Adds browser extensions to hook browsers.
  • Unauthorized access to FB account to spread malicious SVG images to friend list of the compromised account unknowingly.

In this campaign, attackers make use of SVG image to embed a JavaScript containing a link to external file. Upon clicking the image, a request to third party website which pretends to be “YouTube” like website is sent, which may drop ransomware or ask the infected user to add Browser extensions. These malicious extensions are then capable of hooking the victims’ browsers or may use the victims Facebook account to spread the malware.

Security Best Practices:

  • Do not open messages/images received from untrusted sources or received unexpectedly fromtrusted sources.
  • Do not allow unknown / untrusted applications to access of your Facebook account.
  • Exercise caution while visiting websites or web links that ask users to add browser extensions or downloads plugin files.
  • Exercise caution while visiting links received via Facebook messages or any social media apps.
  • Do not save any executable on mobile, desktops which are downloaded via messenger
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline
  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches
  • Maintain updated Antivirus software on all systems
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host¬level anti exploitation tools.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from CERT-In empaneled auditors. Repeat audits at regular intervals.
  • Individuals or organizations are encouraged not to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and Law Enforcement agencies
  • For securing and preventing against ransomware attacks, refer CERT-In’s advisory “Prevention of Ransomware infections”

Join The Discussion