Locky Ransomware Spreads Through Facebook Messenger

Locky Ransomware Maneuvers Past Facebook Security

Locky ransomware has wormed its way past the security features of Facebook Messenger. The malware is currently being spread by a malicious image link being sent through the messaging feature of the popular social media platform. Reports suggest Facebook is working to fix the issue.

This all started with an image download being sent. Upon clicking on the image download, users are taken to a website that looks like YouTube. From there, users are prompted to download a malicious extension in Google Chrome. According to Neowin, this malicious extension has been removed.

However, the problems don’t stop there. According to Peter Kruse, a colleague of the individual who originally found the malicious content, in certain instances the file also included the ransomware variant, Locky through the use of a Nemucod downloader. Fortunately for PC Matic users, the Locky variant would not be allowed to execute, as long as the user has SuperShield enabled. Devin Bergin, product manager and malware researcher for PC Matic, made the following statement regarding the malicious attack via Nemucod downloader,

“This sounds like a typical downloader, similar to one that would run in a word macro. The downloader installs with JavaScript.  Then it reaches out to a command and control server and downloads the Locky exe and executes it. SuperShield would block the Locky exe when it tried to execute.”

As a PC Matic subscriber, it is important to ensure SuperShield protection is enabled. You may do so by right clicking the shield icon in the bottom right corner of you screen, in the task bar located by the clock. Then confirm there is a check mark by “SuperSheild Protection”.

For users who are not protected with PC Matic, you may click here to learn more about our advanced protection.

(Visited 12,984 times, 1 visits today)

18 thoughts on “Locky Ransomware Spreads Through Facebook Messenger

  1. I recently had an experience with, what I would call, RansomeWare.
    When I tried to get on the NET I received a text message from, presumably, Microsoft
    that said I had a foreign program that was trying to launch onto my PC.
    Having had two earlier instances of Ransomeware over the last 5 years, I was
    immediately suspicious.
    I had been successful in removing the the previous instances, after much time and effort,
    and I thought I could also eliminate this one. However; this was unlike the others in that
    it didn’t lock up my computer, it only stopped me from getting on-line.

    After unsuccessful attempts to delete this message, and assuming that PC Matic wouldn’t
    allow anything dangerous through, I decided that it might possibly be legit, after all
    it seemed like it MIGHT have come from Microsoft, although I had never heard of MS
    messaging someone in this way.

    I decided that since I couldn’t remove the intruder, and PC Matic had let it through, I’ll
    call the purportedly ‘Ms Support’ phone number offered. The phone was answered by someone alluding to be a MS Technician. He seemed initially to be somewhat confused and turned me over to a ‘Hack’ Technician. I declined to have this technician connect with and read my PC.
    He said he understood my hesitation and said we may be able to solve my problem without
    connecting with my PC internals.

    Long story short, I spent almost 3 hours following his instructions with a negative result.
    He finally said that he couldn’t do any more without me giving him permission to study my
    PC. At this point I had built up a familiar and partially trusting feeling between us and
    I let my guard down and let him connect up. BIG MISTAKE! It wasn’t long before he told
    me that he could definitely fix the problem for $139.95 followed by his inserting a ‘Block’
    on my Router that would keep this type of thing from happening again…for and additional
    $149.95.

    At this point I was pretty sure it was a Scam and I declined his ‘Sales Pitch’ and quickly
    turned off my PC.

    I rebooted and the message that I couldn’t get rid of was gone. I suspect that his
    co-opting my PC had something to do with it. Although the PC seems to function OK now,
    I immediately went about changing vital passwords. I still have a nagging feeling that
    something was left behind like maybe an open port, Trojan, or a rootkit etc..

    My scant knowlege of the Win 7-64 Operating System doesn’t allow me to have full confidence that my machine is completely rid of this. Assuming that it is gone could be a huge mistake as I may find one day that my bank accounts have be emptied and sent to India or somewhere.

    These are the particulars which I got through an investigation on my part:

    1. The Company uses a name that seemingly is stolen from a company in New Jersey called
    Gentech. They call themselves GENTECHLLC and purportedly are from Springfield, Illinois.

    2. Website- http://www.GentechLLC.US (Be Careful if you try this address. Its been rumored
    that just making the connection may infect your PC!)
    3. The Technicians have American names, but; I detected slight Indian (from India) accent.

    4. Some of the phone numbers they use are: 844-355-9152, 877-398-2291, 855-202-1840. I’m sure that there are many more.

    Does anyone know how this ‘message’ got by PC Matic and how I can be certain that my machine is ‘clean’. Also, how do I stop this from happening again.

    • First, I want to say thank you for sharing this information. We are constantly striving to make our security solution better, and by gathering this information, you could’ve potentially saved several others from falling victim. I will be sure to share this with our developers to determine if this is something PC Matic may have missed. I am uncertain that it is a PC Matic issue, if you received a text message, but the idea of it blocking your router is something I can have them look into.

      Also, to be clear, ransomware is a form of malware that encrypts your files and then send you a ransom demand, stating if you do not pay you will not get your files back. This particular instance, is not ransomware, but is certainly malware of some sort. Again, thank you for sharing this information, and I will forward it on to our developers now. Have a great weekend!

      • Based on the information you provided, our malware research team was able to report in full confidence, that this was not a ransomware attack. Unfortunately, this is more of a scam than any kind of malware. They reported this is a common trick where the browser goes into a series of Alerts purported by Microsoft. If this were to occur again, to anyone, please understand that Microsoft will not send you an alert with a phone number. This is the same as the BSoD (blue screen of death) scam. Do not, under any circumstances call the number that is provided to you. Luckily, you realized the scam before paying for their “fixes”. Unfortunately, PC Matic as well as any other AV solutions cannot block these scams.

  2. When my computer turns on the Supershield icon is green, in about 15 mins, it turns red. The only way I can get Super Shield back on Green, I have to reboot my computer. What’s up?

  3. It’s still beyond me why people still use facebook. I deactivated my account over a year ago. It’s nothing more than a government outlet to know what you are doing and know everything about you. Pure 100% government spyware.

    • I was using Messenger on my smartphone because Facebook would not let me get any messages unless I signed up for it. When they started giving out my phone number against my wishes and telling everyone who I contacted that I was inviting them to join Messenger, I removed the app. I don’t use Facebook on my smartphone anymore. Somebody needs to build a better Facebook because the people who run Facebook are living in an alternate universe. They want everyone to share their phone number and birthday with the entire world. Hello?!? It has been said that all a good identity thief needs is a birthdate to get your social security number and more recently, a phone number to get into your bank account. Facebook is trying to expose as much information as they can about their members to placate their advertisers. Facebook cannot be trusted and needs to replaced by a responsible organization.

  4. I have pcmatic ..pad for it on this email adress for my pic…I now have an iPad how do I get this protection on it …do I have to pay again….if. To how do I get it on my new email adress…I am so not k owing how to do this
    Thank You, Debbie

    • Unfortunately, PC Matic is not compatible with Apple devices. PC Matic requires a Windows platform, such as XP, Vista, 7, 8 or 10.

  5. I HAVE HAD PC MATIC FOR QUITE AWHILE, AND I AM VERY SATISFIED. HOWEVER I HAVE NEVER UNDERSTOOD SUPERSHIELD. SHOULD I PAY EXTRA FOR THAT? IT’S NOT CLEAR. PLEASE ADVISE. THANKS.

    IN THE BEGINNING I SIGNED UP WITH FACEBOOK IN ORDER TO TRACK MY CHILDREN. BIG MISTAKE. I HAVE BEEN TRYING TO UNSUBSCRIBE FROM FACEBOOK BUT WITH NO SUCCESS. PLEASE HELP ME TO DELETE ALL TRACES OF FACEBOOK. THANKS.

    • SuperShield is included in your subscription to PC Matic. Please be sure it is enabled by clicking on the shield icon down by your clock. As long as the shield is green–you’re good to go!

  6. I HAVE HAD PC MATIC FOR QUITE AWHILE, AND I AM VERY SATISFIED. HOWEVER I HAVE NEVER UNDERSTOOD SUPERSHIELD. SHOULD I PAY EXTRA FOR THAT? IT’S NOT CLEAR. PLEASE ADVISE. THANKS.

  7. “As a PC Matic subscriber, it is important to ensure SuperShield protection is enabled. You may do so by right clicking the shield icon in the bottom right corner of you screen, in the task bar located by the clock. Then confirm there is a check mark by “SuperSheild Protection”.

    You need to look in the Protection Level sub menu to see this.

    • It seems when I have super shield turned on that my computer runs really slow – painfully slow… Am I still protected with it turned off?

      • You are, but not by our whitelist protection. I would suggest you reach out to our support team to identify the cause of the issue. SuperShield should not slow down your PC. They’ll be able to fix the issue so you can remain protected, without giving up speed. Reach out to them at http://www.pcmatic.com/help. They’re available 7 days a week.

Leave a Reply

Your email address will not be published. Required fields are marked *