Home Malware Programs Ransomware Facebook Ransomware

Facebook Ransomware

Posted: June 20, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 5
First Seen: June 20, 2017
Last Seen: July 23, 2019
OS(es) Affected: Windows

The Facebook Ransomware is a variant of Hidden Tear, a program designed as an example of how file-encrypting Trojans function originally. Along with its capability of damaging your files, possibly permanently, the Facebook Ransomware also may lock your screen with the pop-up through which it displays its ransoming conditions. Although appropriate anti-malware products may delete the Facebook Ransomware, malware experts also advise keeping backups to provide fallback recovery options.

The New Face Taking Your Files for Granted

Forks in the Hidden Tear family are continuing to propagate, even though many of these threats may show limited distributive efforts from their makers. However, with most of the work of creating a payload already done in the source code, even new offshoots like the Facebook Ransomware can feature both data-locking attacks that damage your files permanently, and other features, such as pop-ups that block Windows. Ransom payments, while recommended by the Facebook Ransomware and its competitors, are questionable means of restoring either your computer or any content that's encrypted.

The Facebook Ransomware can scan for and lock, through an AES-based encryption function, any of various file formats, including DOC, JPG and XLS. Default Windows locations like the desktop, downloads, and documents folders are vulnerable to these attacks particularly. Although the Facebook Ransomware's scan and encryption routine shows zero symptoms to the user, the Trojan concludes its payload with a pop-up.

This pop-up follows the same functions as Notepad ransom messages in previous versions of Hidden Tear. Its authors use the window to provide their prerequisites for paying to get access to the code for the file-unlocking decryptor built into Hidden Tear. While most elements of this HTML message appear to be copies of preexisting Web pages, malware experts did take note of the new and unusual use of Facebook branding for its background image. No evidence exists to imply that the Facebook website is propagating the Facebook Ransomware through disguised Web links to an exploit kit or other threat with drive-by-download features currently.

Shutting the Book Closed on a Hidden Tear Spin-Off

The Facebook Ransomware is mildly significant for being one of the few Hidden Tear-based threats to include a screen-locking function. Besides delivering its ransom demands, this feature also can stop you from accessing the Windows UI or other programs. Along with that, victims not familiar with the norms of the file-encrypting Trojan industry may be unaware that the Facebook Ransomware's ransoming method, Bitcoins, protects the con artists from refunds if they don't help you recover the locked files.

Backing up your content to locations not subject to being deleted, as the Shadow Copies often are, can protect documents and similar media from being ciphered by the Facebook Ransomware permanently. Unless malware researchers find new evidence confirming how this threat is distributing itself, infection vectors are expected to include such possibilities as spam e-mails, corrupted websites with script-based exploits and freeware bundles. For those users who refuse to back their files up, having an anti-malware product that can delete the Facebook Ransomware preemptively is the only definitive way to keep their content safe from encryption.

Threat actors always are eager to build a name for themselves, even if doing so often entails stealing the names of a legitimate business or service. Trojans like the Facebook Ransomware are little more than another point in the barrage of evidence showing that misconduct uses social engineering and brand awareness, just as much as legal marketing.

Related Posts

Loading...