A threat actor focusing on Android systems has expanded their malware-as-a-service (MaaS) business with file-encrypting capabilities for ransomware operations.
Named Lucy Gang by researchers, the actor is a Russian-speaking team that made itself known two years ago with the Black Rose Lucy service, offering botnet and malware dropping capabilities for Android devices.
No cryptocurrency demand. The new feature allows customers of the service to encrypt files on infected devices and show a ransom note in the browser window asking for $500.
The message purports to be from the FBI and accuses the victim of storing adult content on the mobile device. The purpose of the fake FBI note is to scare the victim into obeying the cybercriminals’ request. It is a clear extortion attempt preying on fear of legal consequences for visiting adult websites and storing lewd files. Adding to the scare, the criminals say that a picture of the victim’s face had been taken and uploaded to FBI’s cyber crime data center along with location details.
Payment is expected in three days from the notification, otherwise the fine triples, the message warns. Interestingly, the attacker does not take cryptocurrency. Instead, they demand credit card information. This is unusual as ransomware operators are typically cashing in by making victims pay the ransom in cryptocurrency. As far as encryption goes, Lucy first tries to retrieve all the directories on the device. In case of failure, it looks for the “/storage” directory. If this also fails, the malware searches for the “/sdcard” folder. As an interesting note, there is a false lead during the encryption process.
A false key is generated using the AES algorithm with a constant seed of 0x100. This may be a trick from the malware developer or a mistake in the code. However, the real encryption key is made of data in the first segment of the ‘SecretKeySpec’ and the ‘Key’ string that is taken from SharedPreferences. The function responsible for processing the files uses these with the chosen file directory and a boolean variable that switches between the encryption and the decryption mode. However, the real encryption key is made of data in the first segment of the ‘SecretKeySpec’ and the ‘Key’ string that is taken from SharedPreferences.
The function responsible for processing the files uses these with the chosen file directory and a boolean variable that switches between the encryption and the decryption mode.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.