Posting on behalf of David Biser:

With so many users accessing Facebook within corporate networks, it is imperative that your security team be up to date on current threats involving social media. A well-known piece of malware, Locky Ransomware, is spreading via Facebook Messenger by pretending to be a harmless image file. Since many companies allow employees to access Facebook, this presents a potentially massive hole in security programs.

The initial reports on this piece of ransomware show a commonality among the type of infection vector and approach used by the attackers. First, the user receives an instant message containing only an image file, or what appears to be an image file. It is usually titled generically with a .svg extension. A .svg (Scalable Vector Graphics) is an XML-based vector image, which is formatted for two dimensional graphics and support for animation and interactivity. These image files can be created and edited with any text editor and have been used in the past to serve up other types of ransomware. 

The threat actors are exploiting a JavaScript entry contained in the .svg files that redirects the victims to a website that serves up the malicious payload. The latest attack utilizes a downloader called Nemucod. Nemucod has been around for awhile and Microsoft has rated it as a “severe threat.” (

Many of these latest attacks re-direct the victim to a website that appears to be YouTube, with a video from Facebook and a request to install additional extensions to actually view the video. Now, as all security practitioners know, a user will more than likely click on this request to authorize it, and then the end begins! If the user actually installs the Chrome extension, the attack can spread further via Facebook Messenger. It is even possible that other types of malware will be downloaded via the Nemucod downloader once the user has agreed to the installation. 

Some good news here, VirusTotal does report that many of the anti-virus programs out there pick up this threat and actively stop it. Please see the following link for more information from VirusTotal,

So, now that you know this threat is out there, that your users are actively using Facebook within your corporate environment and that there is a possible security hole that the attackers will exploit, what do you do? Here are some quick tips to help protect you against this latest attack vector:

  1. Ensure all of your anti-virus/malware programs are updated with the latest signatures. VirusTotal reports that Nemucod is picked up by many anti-virus programs, however, if they are not updated they could possibly miss the initial download. If you have anti-virus running within your environment, it should be standard practice to update it. If you haven’t updated your anti-viris, now is as good a time as any!
  2. Instruct your users of the dangers they face on social media. I know that many companies hesitate to restrict access to web sites such as Facebook, but if your users are actively using Facebook, then they need to be reminded that Facebook isn’t Safebook. There are threats facing them on every link they click and those threats are not only against them, but your entire corporate network. Provide updated security lessons, conduct social engineering penetration tests and utilize fake phishing campaigns to ensure your users are abiding by the security policies.
  3. Proactively scan your network for threats such as Nemucod. A program such as Carbon Black ( provides this active threat hunting ability and interacts with programs such as VirusTotal to warn you of immediate threats. It also provides you with the tools to take immediate steps to remediate such threats before they spread throughout your network.
  4. Review your incident response plan and ensure that it is up to date. Many companies do not have an incident response plan and think that they will never suffer a breach or an incident. Sadly, this type of thinking is exactly why attack vectors such as this one are so successful. Failure to plan is planning to fail. Take the steps necessary today to ensure your plan is ready to go. NTT Security can help with this process as well. Click here for more details.
  5. Restrict access to social media sites within your corporate environment. I know this isn’t a popular step, but it is one that can easily be implemented. Many companies have taken this step and survived the process with little impact on their employees. Some have gone so far as to set up a “public” wireless network that allows their employees access to such sites, only separated from the corporate environment. It is your choice, however, social media is a definite attack vector and you can’t afford to ignore it.

Make sure you are doing everything you can to protect the data in your custody. Social media provides attackers with the ability to slip inside your network and wreak havoc, if they aren’t stopped. Invest in your security program, not only financially but personally as well. Take the steps necessary to stop attackers at the doorway of your environment and rest easy at night!