The latest in FBI impersonation: An extortion scheme involving mobile ransomware

Ransomware on mobile phones may not be the most profitable avenue for criminals, but that hasn't stopped some from trying to make a buck.
the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that's popular in Asia. (Flickr user <a href="">StevenW</a> / CC-BY-2.0)

The FBI has done a lot to crack down on illicit online activity in recent years, from installing cyber investigators in field offices across the country to scouring the dark web for suspects. But those efforts, needless to say, do not include locking a suspect’s phone and demanding a fee to get the data back.

It’s the latest twist on a scheme that cybercriminals have been using online for years: Make people think they’re in trouble with the feds, and shake them down for cash. Cybersecurity company Check Point said Tuesday that this time the crooks are encrypting the data on Android phones, accusing the victims of possessing illegal pornographic material and claiming that their personal details have been sent to an FBI data center. Victims are told to pay $500 to escape the situation.

Older versions of the scheme involve fake FBI warnings that arrive via email or web browsers. Using the tactic with mobile ransomware is much less common.

The malicious software at the heart of the scheme, Black Rose Lucy, has been around since at least 2018, perhaps earlier. Russian-speaking operators previously had rented it out to criminal clients, according to Check Point. Now, the researchers say they’ve found around 80 malicious samples of the updated code sent to Android phones in Eastern Europe via social media and messaging apps. It is unclear how many devices have been infected. Check Point says it doesn’t have that data.


Ransomware has long been used against personal computers and bigger IT systems, but researchers say the file-locking attacks have been increasingly affecting mobile phones in recent years. Ransomware has been coded to infect Android phones since at least 2014, according to mobile security company Wandera. Since then, a number of mobile ransomware strains have emerged, including one last year that tries to spread to a victim’s mobile contacts via text messages.

On the whole, though, mobile ransomware is not as profitable for criminals as ransomware that infects PCs or enterprise systems, said Allan Liska, a threat intelligence analyst at cybersecurity company Recorded Future. “Most people just reset their phones and move on with their lives rather than paying the ransom.”

At the same time, the value that users place on their mobile phones will make them a target, said Aviran Hazum, a Check Point researcher.

“As we keep using our mobile devices for more and more day to day actions, the value behind each infected device increase,” Hazum told CyberScoop in an email.

The FBI has warned the public about impersonation schemes in the past. Other U.S. government agencies have had similar problems, including most recently the Small Business Administration, as it tries to deliver grant money to companies affected by the coronavirus pandemic.


“Unfortunately, this is not the first time a ransomware actor has impersonated the FBI or law enforcement to coerce victims into paying to decrypt files,” the FBI said in a statement.

“The FBI routinely notifies individuals and organizations of potential threat information,” the statement continued. “We perform these notifications so potential victims are aware of possible threats and can take the appropriate steps to protect themselves. Any FBI notification can be verified by calling an FBI field office. The FBI does not issue fines and an FBI notification would not request payment for a fine.”

UPDATE, 4/30/20 8:11 a.m. EDTThis story has been updated with a statement from the FBI.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts