- CheckPoint has learned an Android version of the “Black Rose Lucy” ransomware.
- The malicious actors are pretending to be the FBI, threatening the sufferer with legal prosecution.
- The ransomware isn’t significantly highly developed, but it will come with much more than plenty of features to do a great deal damage.
A new variation of the “Black Rose Lucy” ransomware has been noticed on the wild, and it looks to be targeting Android equipment now. This is a malware family that initial arrived to mild in September 2018, when Look at Level discovered it. However, it in no way managed to turn into extremely well known in the scene. Now, the exact team of researchers is reporting that Lucy has returned and has a bag of tricks to idiot its victims.
1st of all, Lucy is to be uncovered in unofficial APK sources, so its channels of distribution do not contain Google Enjoy. The scientists positioned more than 80 samples of the new ransomware on social media platforms, where by actors are sharing links, as nicely as in IM application teams. When victims down load the ransomware, they get a message that supposedly will come from the FBI, warning them about the discovery of pornographic content material on their unit. The ransomware then locks the files by encrypting them employing the AES algorithm and provides this as component of the FBI motion.
Supposedly, the victims had been given a $500 penalty thanks to the possession of the inappropriate materials, so they are asked for to make the payment inside 3 calendar days. The information warns victims that trying to unlock the machine themselves or not shelling out would represent a further more breaking of the law, resulting in the tripling of the fines.
The target ends up with documents carrying the “.Lucy” extension, even though from a specialized viewpoint, the ransomware is identical to what it utilized to be when it was identified. All unit directories, the ‘/storage,’ and even the ‘/sdcard’ are scanned and encrypted, so almost nothing is still left out. The researchers have found that Lucy starts the encryption approach with a fake crucial, which could be an attempt to mislead malware analysts.
As for the C2 infrastructure, 4 servers are hardcoded in Lucy’s code, specifically apsoinasj[.]in, 9120qwpsa[.]in, a0h12p14k[.]in, and qeoq0r1hgf03ds[.]in. The malware rotates among them, and there is a exceptional API for calling each individual of them. As for the commands sent from the C&C server to Lucy, these consist of the contacting of a cellular phone variety, the fetching of the scanned directories, initiation of encryption, decryption, drop payment, fetch installed apps list, open a distant shell, delete encryption keys, and even to delete Lucy by itself.
As constantly, we advise paying out consideration to where by you down load your cellular apps from, as most malware will come from unofficial application suppliers. Moreover, a stability answer indicates an excess layer of security.
Created by ODD Balls