According to the April 28 report, the malware — known as “Black Rose Lucy” — is unusual, since there are no ransom payments involving cryptocurrencies like Bitcoins (BTC) and it affects users of mobile devices with Android as an operating system.
Check Point had already tracked the beginnings of the malware since September 2018, originating in Russia as a “Malware-as-a-Service” (MaaS) botnet. However, it took the form of ransomware to make various changes to the device and install malicious applications.
Fake FBI warnings
As usual with ransomware attacks, Lucy encrypts files on the infected device and displays a fake FBI warning, accusing the victim of possessing pornographic content on their devices.
The message also states that the details of the targeted user have been uploaded to the FBI Cyber Crime Department’s Data Center and lists a series of bogus charges brought against them.
The fine is $500, but it must be paid via credit card instead of Bitcoin, as ransomware attacks usually operate.
Not a serious threat
Brett Callow, threat analyst at Emsisoft, said he doesn’t believe that mobile platforms are a target for serious ransomware groups:
“It’s simply not where the money is at. While an attack on corporate endpoints and servers can bring a company to a standstill and enable the criminals to extort a significant ransom, the same cannot be said for an attack on mobile devices.”
Callow adds the following comment on the fact that ransomware attacks, like Lucy, accept credit card payment:
“The fact that these low-level sextortion scammers are seemingly transacting via credit card rather than Bitcoin is unusual but not a particularly significant development. I certainly wouldn’t expect to see any of the real ransomware groups adopting the strategy.”
Android’s users get hacked with fake notifications
The cybersecurity firm says that Lucy uses an “ingenious” method to circumvent Android security, displaying a message asking the user to activate real-time video optimization.
As a next step, the cybercriminals persuade the victim to give malware permission to use the accessibility function in Android.
As reported on April 21 about a publication from Emsisoft lab malware that highlighted that there was a significant drop in the number of successful ransomware attacks on the public sector during Q1 2020, despite the COVID-19 crisis.