everythingpossible - stock.adobe
Black Rose Lucy ransomware now posing as FBI porn warning
A new strain of Russian-developed ransomware impersonates US federal law enforcement to force payment, says Check Point
A variant of the Black Rose Lucy malware-as-a-service dropper, which originated in Russia a little over two years ago, downloads ransomware that passes itself off as an official message from the US’s Federal Bureau of Investigation (FBI) in order to dupe victims into paying a ransom that they believe to be a fine.
The new ransomware strain was uncovered by researchers at Check Point and affects devices running the Android mobile operating system (OS).
When downloaded, it encrypts its victims’ files and accuses them of possessing illegal pornographic content on their devices. They are told their details have been uploaded to the FBI Cyber Crime Department’s datacentre and are shown a list of offences they are supposed to have committed.
Fortunately, the victim can make all this go away if they pay a “fine” of $500 (£395 or €454) to the FBI via credit card. This differs from most strains of mobile ransomware, which more typically demand payment in bitcoin.
“We are seeing an evolution in mobile ransomware – it’s becoming more sophisticated and efficient,” said Aviran Hazum, mobile research manager at Check Point. “Threat actors are learning fast, drawing from their experience of past campaigns, and the impersonation of a message from the FBI is a clear scare tactic.”
Hazum and his research team collected 80 samples of Black Rose Lucy, which disguised themselves as a harmless-looking video player app leveraging Android’s accessibility service to install a payload without the user taking any action, creating what he described as an “interesting self-protection mechanism” that exploits an Achilles’ heel in Android’s on-board cyber security devices to slip by unnoticed.
When downloaded and installed – either via social media or instant messenger – as a video application, Black Rose Lucy tricks the user into allowing it access to Android’s accessibility service by pretending to enable a bogus service called “VSO – video streaming optimizer”.
It then grants itself admin privileges by exploiting the Android accessibility service which mimics a user’s screen taps and clicks, and can automate user interactions with the device. At this point, encryption takes place, with the encryption key stored in the device’s shared preferences, and the ransom demand made.
“Sooner or later, we anticipate the mobile world will experience a major destructive ransomware attack,” said Hazum. “It’s a scary but very real possibility, and we urge everyone to think twice before clicking on anything to accept or enable functions while browsing videos on social media.
Read more about ransomware
- Follow these best practices to properly prepare for ransomware and phishing attacks, as well as further steps to stay secure in the face of a pandemic or widespread health event.
- Interpol purple notice issued to alert police forces around the world of ransomware attacks against hospitals and other healthcare institutions.
- Ransomware is a constant aspect of the IT landscape but isn’t always seen as a priority. IT service providers can help their clients mitigate the risk.
“To stay safe, users should install a security solution on their devices and only use official app stores. And, as always, they should keep their device’s OS and apps up to date at all times.”
Malware-as-a-service, or MaaS, products, such as Black Rose Lucy, are just one manifestation of the increasingly professionalised world of cyber crime – some even come with technical support and service level agreements (SLAs). They are typically sold as access to a malware distribution botnet.
In the case of Black Rose Lucy, the product comprises a loader (Lucy), a remote control dashboard controlling a botnet of victim devices and hosts, and a dropper (Black Rose), which targets victim devices, collects their data, listens back to a remote command and control servicer, and installs the ransomware.