Black Rose Lucy MaaS returns as an FBI ransomware

Black Rose Lucy malware gets back as an Android-based ransomware

Black Rose Lucy malware

Black Rose Lucy malware

After the first wave in 2018, Black Rose Lucy[1] malware-as-a-service (MaaS) shifted its activity from Android malware to ransomware and is currently actively spreading via social media links and fake Streaming Video Optimisation (SVO) alerts. Nearly 80 diverse samples have been detected carrying the new Lucy variant.

If the potential victim clicks the OK button, Lucy ransomware gets the user’s permission to extract its files and start encryption. The virus is capable of locking all files stored on the device and subsequently shows a  ransom note in Google Chrome or another web browser asking to pay $500 fine. The ransom note mimics an official FBI form[2], which contains information about illicit activity recorded on the victim’s device.

Ransomware renders sextortion strategy to scare people into paying the “fine”

Sextortion is a social engineering strategy used by scammers mainly. Criminals use bots[3] to spread malicious emails where people are accused of visiting porn sites and caught on camera. It turned out that the new variant of Black Rose Lucy malware exhibits a sextortion twist as well.

Upon successful infiltration, it encrypts files on the user’s Android device and then grants access to his or her web browser where a fake FBI lock screen is displayed. The note claims that the victim has been visiting forbidden pornographic websites and that FBI has information on his/her location and snapshot confirming the identity. Criminals demand the victim to pay a penalty, which is $500.

Disconnection or disposal of the device or your attempts to unlock the device independently will be apprehended as unapproved actions interfering the execution of the law of the United States of America (read section 1509 – obstruction of court orders and selection 1510 – obstruction of criminal investigation). In this case and in case of penalty non-payment in a current of three calendar days from the date of this notification, the total amount of penalty will be crippled and the respective fines will be charged to the outstanding penalty. In case of dissent with the indicted prosecution, you have the right to challenge it in court.

Even though a locked file followed by the above notification may scare people, beware that it’s a scare tactic used to swindle money from unaware people.

Lucy grants access to data via Android Accessibility Service

As pointed out by malware researchers, the current Lucy variant spreads in the same manner as its ancestor. With the help of botnets, criminals send infected links via social media and instant messaging apps[4]. The link carries Lucy malware, which silently settles down on the device.

Clicking on the link does not run ransomware payload. The Black Rose Lucy malware then targets Android Accessibility Service. For this purpose, an Android device is programmed to display fake SVO (Streaming Video Optimisation) message asking users to enable the service to keep watching a video:


To continue watching the video on your phone, you must enable Streaming Video Optimisation (SVO), select it in the menu and turn it on!


Unfortunately, clicking the OK button does not grant a smooth video streaming, but rather enables a malware to use the accessibility service, which allows data encryption. The ransomware uses the RSA encryption algorithm and targets /storage and /sdcard directories in the first place and encrypts all files located on them without any exceptions.

Finally, Lucy virus can take control over Android’s Wi-Fi and desktop connections to display a ransom note within a web browser. Besides, Check Point states that the analysis proves that this ransomware is capable of sending commands to C2 remote server, export apps, and delete the encryption keys.

Strangely, criminals do not accept cryptocurrency[5], which is non-typical to ransomware developers. Victims are expected to transfer the payment via credit card.

Post-Soviet states are initially targeted

Although the reasons are unclear, Lucy ransomware attacks Android users locating in post-soviet countries, including Ukraine, Belarus, Georgia, Lithuania, Armenia, and others. The malware has an in-built database of restrictions, which are run during malware load. However, Russia is not under the restrictions list, so most of the Russian-speaking countries are in the attack mapping.

The question remains why criminals did not try to impersonate a federal law-enforcement agency in Russia. Anyway, Android users should be very cautious and avoid suspicious links on Facebook, Twitter, Messenger, and other social media in order not to give permission for malware to compromise the device. Besides, reputable software developers offer security software for Androids and we strongly recommend having one installed. Android and iOS oriented cybercrime are getting increasingly popular, so take precautionary measures before falling as a victim.