Lucy Ransomware Is Back With A New Strategy

May 9, 2020

Lucy is a ransomware which was first discovered by CheckPoint on 2018. Now Lucy is improved and is more harmful then the original one. The Black Rose Lucy malware comes with an interesting twist.

If you want to learn more about the original Lucy click here.

Black Rose Lucy

Lucy encrypts the files and as well as pretends to be FBI and warns it’s victims that they have found pornographic content in their phone and their photo has been snapped and uploaded to FBI Cyber Crime Department’s Data Center. To clear the record victims need to pay $500.

How it works?

The malware starts by registering a receiver called “uyqtecppxr” to run BOOT_COMPLETE and QUICKBOOT_POWERON to check if the country code of the device is from a former Soviet state.

After that an Alert Dialog is opened and the message written in it is to enable SVO(Streaming Video Optimization) to continue watching the video. The message is shown below.

If you click OK then, you give the malware permission to Android Accessibility Service. Android Accessibility Service is generally used to mimic user’s clicks and has the ability to automate user interaction. Malware can use this service and destroy all Android’s defences making device vulnerable. Now the malware can complete it’s main goal to encrypt the files.

It calls WakeLock service which keeps the screen from turning OFF and it also calls WifiLock service which keeps WiFi ON.

Lucy checks all directories whether it is possible to encrypt them or not, but if it is failed to scan the directories then, it will scan /storage directory and at last it will scan /sdcard directory. It will now start encrypting files with .lucy extension and then, it will check if all files are encrypted successfully or not.

Now after encrypting the files, Lucy will now display ransom note in browser window which looks similar to FBI letter. The letter is shown below.

The letter notifies that FBI scanned their device and found pornographic content. As a result, all files are encrypted on their device and have also snapped victim’s photo and uploaded to FBI CYBER CRIME DEPARTMENTS DATACENTER. It also states that victims need to pay penalty of $500. Surprisingly the fine is collected via credit card and not Bitcoin which is generally the case in ransomware. I guess they were trying to pretend to be legitimate. The letter also notifies the victims of different Sections and what punishments they are viable to, for example if they refuse to pay fine then the fine will be tripled in three days.

What happens after Paying Ransom or Fine?

After you pay the amount, Lucy will decrypt all files and then it will check if all files are decrypted or not. If successfully decrypted, it notifies user that all files are successfully decrypted.

After decryption, Lucy goes into DELETE mode where it will delete itself. This way the malware has successfully infected your system and taken money from you by pretending to be FBI

Conclusion

The old malware’s Command & Control(C&C) server was IP address but the new one’s C&C server is a domain which makes it harder to neutralize the attack as the server can be broken down but it can be easily resolved into new IP address.

There are few mobile malwares out there but by far this malware is the dangerous of all time according to researchers. We have to be very careful as now we are on mobile phone almost every time and mobile malwares are increasing day by day.

Best way to defend yourself is not to go to untrusted sites and never click on ads. And use only trusted software. Also beware of phishing mails which also contains infected link. In mobile we can’t see which link we will be redirected to, so that’s why it is easy to click anything in mobile phone. In computers you can hover over the link and see where it will be redirected which makes it easier to know where to click.

The information was gained from CheckPoint Research