It is becoming even easier to become a cyber-criminal thanks to the model of sale known as malware-as-a-service that offers off-the-shelf malware for rent or sale. Recently malware authors started to offer also Ransomware-as-a-Service (RaaS), in August security experts at McAfee discovered in the Deep Web a ransomware-construction kit, dubbed Tox ransomware platform that allows easy to build malware in just 3 steps, implementing this model of sale.
Now experts at Sensecy are warning of a new RaaS platform dubbed titled ORX-Locker, it allows criminals to create their piece of malware to infect systems and request the payment of a fee to unlock the system.
In RaaS model, when victims decide to pay, the malware redirects them through a service provider that keeps a percent of the fee and forwards the rest to the criminal.
ORX implements a sophisticated AV evasion method and complex communication techniques, the researchers discovered that it uses universities and other platforms as control infrastructure.
The First Appearance for the ORX ransomware is dated August 25, 2015, when a user dubbed orxteam announced the availability of a new RaaS service in a post.
The team ORX developed a hidden service to implement the RaaS, the experts highlight that the website requests a few details to new users.
“To enter the site, new users just need to register. No email or other identifying details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user.” state the post that provides a detailed description of the ORX platform.
In order to create a ransomware stub the users just need to add the ID number (5 digits max) and the ransom price (ORX put a minimum of $75), then they have to click the Build EXE button.
The user can easily withdraw his earnings by transferring them to a Bitcoin address by using the Wallet function. The Orx ransomware platform also implements a friendly statistics on its users.
The Orx Ransomware is a zip file containing the binary for the malware.
The researchers at Sensecy have identified these addresses belonging the C&C infrastructure.
- 130[.]75[.]81[.]251 – Leibniz University of Hanover
- 130[.]149[.]200[.]12 – Technical University of Berlin
- 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
- 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)
The Orx ransomware encrypts the victim’s files and informs it about the infection by displaying a popup message, it also creates on the desktop a file containing the payment instruction.
![](data:image/svg+xml;charset=utf-8,<svg height="188px" width="470px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
The post published by the researchers at Sensecy includes also the Yara rule for the malware detection.
(Security Affairs – Orx ransomware platform, Tor Network)
