Security experts at Sensecy have discovered ORX-Locker, a Darknet Ransomware-as-a-service platform that could allow everyone to become cyber criminals.
It makes it even easier to become a cybercrime thanks to the sale model known as malware-as-a-service that offers off-the-shelf malware to rent or sell. Recent malware writers have also begun to offer Ransomware-as-a-Service (RaaS); in August, McAfee security experts discovered in Deep Web a ransomware kit called Tox ransomware platform, which allows easy building of a malware in just 3 steps, providing this model for sale.
Now experts in Sensecy are warning of a new RaaS platform called ORX-Locker. ORX-Locker allows criminals to create their own piece of malware to infect systems and request payment of some kind of fee to unlock the system.
In the RaaS model, when the victims decide to pay, the malicious software redirects them through a service provider who holds a percentage of the pay and promotes the rest to the criminal.
ORX-Locker implements a sophisticated AV evasion method and complex communication techniques. Researchers have discovered that they use universities and other platforms as control infrastructures.
The first appearance for ORX ransomware has 25 August 2015 date when a user named orxteam announced the availability of a new RAAS service in one post.
The ORX team has developed a hidden service to implement RaaS, experts say the site requires some details for new users.
"To join the site, new users just need to sign up. No email or other credentials are necessary. When signing up, users have the option to enter a relevant username, which will boost them by three percent of each new user's payment. "Highlights the publication that provides a detailed description of the ORX platform.
To create a piece of ransomware, users just need to add the identity number (5 digits maximum) and the ransom value (the ORX has set a minimum of $ 75), and then you should click the Build button EXE.
The user can easily get their profits by transferring them to a Bitcoin address using the Wallet function. The ORX-Locker platform also implements a friendly environment with statistics for its users.
ORX Ransomware is a zip file containing the binary for malware.
Researchers at Sensecy have identified addresses belonging to the C & C infrastructure:
- 130 [.] 75 [.] 81 [.] 251 - University of Leibniz, Hanover
- 130 [.] 149 [.] 200 [.] 12 - Technical University of Berlin
- 171 [.] 25 [.] 193 [.] 9 - DFRI (Swedish non-profit and non-party organization working for digital rights)
- 199 [.] 254 [.] 238 [.] 52 - Riseup (Riseup provides online communication tools for individuals and groups working for liberating social change)
ORX ransomware encrypts the victim's files and updates it, displaying a pop-up message, also creates a file containing the payment order on the desktop.
The publication made by Sensecy's researchers includes the Yara rule for detecting malware.