Black Rose Lucy ransomware holds Android devices hostage

Black Rose Lucy malware, first noticed in 2018, is back as Android ransomware, security firm Check Point reports.


Screenshot (23)

The malware has been known for a couple of years now but it never rose to prominence. It’s a MaaS (Malware-as-a-Service) botnet and a dropper for Android devices. But it’s now back as ransomware that tries to extort money by claiming to be the FBI.

The ransomware seems to spread via social media. The researchers at Check Point have found more than 80 samples of this new ransomware on various social media platforms. Victims could be tricked into clicking on malicious links they receive via social media or instant messaging apps, or they could have picked it up by downloading apps from unsecure third-party stores.

When the malware manages to infiltrate the Android device, it displays a pop-up message saying that in order to “continue watching the video on your phone, you must enable Streaming Video Optimization (SVO), select it in the menu and turn it on!”. Pressing OK allows Black Rose Lucy to use Accessibility Service, which leads to the malware initiating fully and encrypting files. When the malware checks that all necessary files have been encrypted, it displays a ransom note.

The malware can also take control of the device, which would allow it to make unwanted, potentially dangerous changes, as well as install additional malware.

Locks the phone due to “forbidden pornographic” content

When it finishes encrypting files, the ransomware will display a ransom note. The note pretends to be an official notification from the Department of Justice Federal Bureau of Investigation (FBI). The note claims that the FBI has scanned the device and has identified suspicious files. It also notes that the victim has visited forbidden pornography sites. As a result, the agency has locked the device and encrypted data. Furthermore, the note also claims that “information on your location and snapshots containing your face have been uploaded on the FBI cyber crime departments datacenter”. Victims are asked to pay $500 to settle these charges. The note also declares that if the payment is not made within three days or the victim tries to unlock the device in some other way, the fine would tripled.

Source: CheckPoint Research
Source: CheckPoint Research

An interesting and very dangerous practice that this ransomware employs is asking victims to pay via credit card instead of cryptocurrency like bitcoin. Users are asked to provide their credit card information, which is essentially inviting them to freely steal money from bank accounts. In most cases, ransomware operators ask for payments in cryptocurrency so this, while not unheard of, is rather unusual.

The Black Rose Lucy ransomware is a classic example of the FBI virus. In the early days of ransomware, screenlockers were quite common. Like the Black Rose Lucy ransomware, screenlockers often tried to scare users by claiming that the FBI or some other law enforcement agency is involved, and unless users pay the requested sum of money, they could be charged and arrested. Users supposedly “earn” those charges because they watch or download illegal pornography. It goes without saying that nothing about this is legitimate. Law enforcement agencies do not lock devices, nor do they encrypt files. And they certainly do not simply ask for money if a serious crime has been committed.

Logically, it’s pretty obvious that if someone has committed a serious crime, a fine would not cut it. However, when faced with a stressful situation, logic often goes out the window. And when users see a threatening message that claims the FBI is involved, they become stressed. This is why these scams are occasionally successful. But if users calmly look at it, it will immediately become obvious that this is a scam.