HomeWinBuzzer NewsLocky Ransomware Uses Infected JPG Images to Spread on Facebook and LinkedIn

Locky Ransomware Uses Infected JPG Images to Spread on Facebook and LinkedIn

The appropriately named ImageGate uses a method of embedding malware in images and graphic files and targets social networking websites for distribution.


A security firm called Check Point uncovered this new method of distributing malware. According to their research, the attackers have added a new capability that allows them to embed a malicious code into an image file and successfully upload it to the websites such as and .

“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users' device as soon as the end-user,“ say Roman Ziakin & Dikla Barda, part of the Check Point Research Team.

Check Point´s researchers believe the new ImageGate technique reveals how the initial Locky campaign started in the first place. The recent massive spread of the Locky was particularly evident on Facebook.

Check Point has published a video in which they demonstrate the process. In a test, they sent a random JPG file through Facebook's chat. Once the targeted victim clicks on the attachment, a Windows save prompt opens and downloads a .hta file.


Upon downloading and opening the attachment, reportedly all of the files on the device are automatically encrypted. You can only gain access after you pay the ransom. Check Point reports that, according to industry reports, the campaign is still in full swing and accumulates new victims every day.

Targeting the social network sites for a reason

Since more and more people spend time on , the hackers are turning their attention to these websites. Ziakin and Barda state that “cyber criminals understand these sites are usually ‘white listed'”, pointing out that is the main reason why the hackers are “continually searching for new techniques to use social media as hosts for their malicious activities.”

Check Point recommends the following preventive measures to stay protected:

  • If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
  • Don't open any image file with unusual extension (such as SVG, JS or HTA).

With the holiday season underway, the volume of the attacks will likely increase due to the number of people present online. Yesterday, we covered how warned against Black Friday malware disguised as Amazon emails.

Users are receiving fake emails that contain the Locky ransomware exploit. Downloading the attached zip file results in important files being encrypted and inaccessible until you pay the attacker. The company has been tracking this combination for a while and Windows Defender should detect it.

Sead Fadilpasic
Sead Fadilpasichttp://journalancer.com/
Sead is a former Al Jazeera journalist who shares his passion for technology on various tech media outlets. Formerly a heavy gamer (semi-professional Warcraft 3 gosu), he now enjoys reviewing software and churning out words about the latest tech-news. He holds a college degree in Journalism and likes to annoy his neighbors by playing one of his three electric and two acoustic guitars.

Recent News