Black Rose Lucy Ransomware Attempts to Extort Victims by Impersonating the FBI

Summary

Cyber-criminals have repurposed an Android botnet and dropper Malware-as-a-Service (MaaS) to deliver the ransomware variant known as Black Rose Lucy. Check Point researchers first identified the MaaS in September 2018, which is believed to be developed by the Russian-speaking Lucy Gang. The ransomware masquerades as a video application and is commonly delivered via social media links and instant messenger applications. In order to bypass Android security, a message is displayed requesting the user to enable the Streaming Video Optimization (SVO). If clicked, the cyber-criminal is granted access to the accessibility service and encryption is initiated on the device. A ransom note appears in the web browser window claiming that the encryption was carried out by the Federal Bureau of Investigation (FBI) due to pornographic content found on the device. Furthermore, the victim is instructed to pay a $500 fine by providing their credit card information. It is important to note that the FBI would not conduct operations in this manner, nor would they ask for credit card details. This use of mobile ransomware highlights an expansion in the attack landscape.

Recommendations

The NJCCIC recommends users exercise caution when clicking on links within social media posts or instant messages. Additionally, we urge users to pay close attention to permissions and functions that are enabled when using applications. Further information can be found in the Check Point Research article.