The latest in FBI impersonation: An extortion scheme involving mobile ransomware

the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that's popular in Asia. (Flickr user StevenW / CC-BY-2.0)


Written by

The FBI has done a lot to crack down on illicit online activity in recent years, from installing cyber investigators in field offices across the country to scouring the dark web for suspects. But those efforts, needless to say, do not include locking a suspect’s phone and demanding a fee to get the data back.

It’s the latest twist on a scheme that cybercriminals have been using online for years: Make people think they’re in trouble with the feds, and shake them down for cash. Cybersecurity company Check Point said Tuesday that this time the crooks are encrypting the data on Android phones, accusing the victims of possessing illegal pornographic material and claiming that their personal details have been sent to an FBI data center. Victims are told to pay $500 to escape the situation.

Older versions of the scheme involve fake FBI warnings that arrive via email or web browsers. Using the tactic with mobile ransomware is much less common.

The malicious software at the heart of the scheme, Black Rose Lucy, has been around since at least 2018, perhaps earlier. Russian-speaking operators previously had rented it out to criminal clients, according to Check Point. Now, the researchers say they’ve found around 80 malicious samples of the updated code sent to Android phones in Eastern Europe via social media and messaging apps. It is unclear how many devices have been infected. Check Point says it doesn’t have that data.

Ransomware has long been used against personal computers and bigger IT systems, but researchers say the file-locking attacks have been increasingly affecting mobile phones in recent years. Ransomware has been coded to infect Android phones since at least 2014, according to mobile security company Wandera. Since then, a number of mobile ransomware strains have emerged, including one last year that tries to spread to a victim’s mobile contacts via text messages.

On the whole, though, mobile ransomware is not as profitable for criminals as ransomware that infects PCs or enterprise systems, said Allan Liska, a threat intelligence analyst at cybersecurity company Recorded Future. “Most people just reset their phones and move on with their lives rather than paying the ransom.”

At the same time, the value that users place on their mobile phones will make them a target, said Aviran Hazum, a Check Point researcher.

“As we keep using our mobile devices for more and more day to day actions, the value behind each infected device increase,” Hazum told CyberScoop in an email.

The FBI has warned the public about impersonation schemes in the past. Other U.S. government agencies have had similar problems, including most recently the Small Business Administration, as it tries to deliver grant money to companies affected by the coronavirus pandemic.

“Unfortunately, this is not the first time a ransomware actor has impersonated the FBI or law enforcement to coerce victims into paying to decrypt files,” the FBI said in a statement.

“The FBI routinely notifies individuals and organizations of potential threat information,” the statement continued. “We perform these notifications so potential victims are aware of possible threats and can take the appropriate steps to protect themselves. Any FBI notification can be verified by calling an FBI field office. The FBI does not issue fines and an FBI notification would not request payment for a fine.”

UPDATE, 4/30/20 8:11 a.m. EDTThis story has been updated with a statement from the FBI.

-In this Story-

Android, Check Point, Federal Bureau of Investigation (FBI), fraud, mobile security, ransomware, Recorded Future, wandera