ImageGate: Images contain ransomware!

M.Sc. Chris Wojzechowski

ImageGate: Images contain ransomware!

Images contain ransomware: It is a new method to get infected with Locky! Up to now, the widespread encryption trojan came preferably via an email mailbox on the computer. The strategy is now changing. Social networks are in focus!

Images contain ransomware – do not download!

It’s no longer the dubious e-mail with a Word file attached (although the attack is still popular with HR departments). The attackers, hackers and cyber criminals have found a way to put the Trojan in image files. Want to download a wallpaper from Facebook? It could happen that a dubious format is suggested to you!

This way you protect yourself from Locky and other encryption Trojans!

You have clicked on a picture and your browser starts a download, although you only wanted to look at a picture? You should not open the file under any circumstances. After all, in social media you can view pictures without downloading anything! The pictures contain an unusual format such as SVG, JS or HTA? Another sign of an infected image file! Only SVG is a common format for images – but for vector graphics, and not for social networks1!

Images contain ransomware? Are there any further details?

Check Point, the discoverers of the method, will not release technical details until the vulnerability has been fixed on the largest and most important websites. The publication is not intended to encourage others to test the vulnerability2. If you want to get an impression of how an infection works, you can watch the following video:

Images contain ransomware!

The attackers become more and more creative and find more gaps. By means of such examples you can see this impressively! However, this attack is particularly critical because there is a particularly large target group. Since one runs the risk of catching an encryption Trojan in social networks also rather rarely, this possibility can bring particularly high “encryption rates”! If a prominent Facebook account is hacked, a few seconds are enough to infect the first fans and followers with Locky! For this reason, this should be corrected quickly before the vulnerability is systematically exploited.

Attention for image files with: .svg .js or .hta extensions!

Weitere Informationen und Quellen

[1] Check Point uncovers a new method for distributing malware through images (checkpoint)
[2] Check Point entlarvt neue Lücken für Ransom- und Malware (Caschys Blog)
[3] Neue Methode zur Verbreitung von Malware durch Bilder (All-about-security)

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.