Now-a-days malware authors started offering malware and ransomware as a sale or service model.It allow to build the malware with few clicks.even script kiddie can build and spread the malware. Security experts at sensecy have discovered a new "ransomware as a service" malware named ORX-Locker,which allow attacker to build the malware and infect the system and demand the money in few clicks. ORX-Lockers have capabilities to evade detecton from antivirus.
The malware authors are adopting the RaaS model because when victims decide to pay, the malware redirects them through a service provider that keeps a percent of the fee and transfer the rest to the criminal.A Ransomware named "Hidden Tear" is published by Utku Sen few days ago.Uktu sen published the ransomware on github.com as open sources,for educational purpose only.
The team ORX developed a hidden service to implement the RaaS. To setup the ransomware ,a new user need to enter few details at the time of registration.It does not ask user for emails Address and other identifying details.At the time of registration it also ask user to enter the name of referral if any.Referral will earn three percent from every payment made to the referred user.
The team ORX developed a hidden service to implement the RaaS. To setup the ransomware ,a new user need to enter few details at the time of registration.It does not ask user for emails Address and other identifying details.At the time of registration it also ask user to enter the name of referral if any.Referral will earn three percent from every payment made to the referred user.
After Log-in the account,the user can move between five sections.To build the ransomware,move to Build.exe,add the ID number and ransom price(ORX put a minimum of $75) then click on build.exe button.
User gets a zip file containing the binary of Ransomware.Zip contain an ".exe" file,when user run the .exe file it start communicating with various ip address as given below:
- 130[.]75[.]81[.]251 – Leibniz University of Hanover
- 130[.]149[.]200[.]12 – Technical University of Berlin
- 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
- 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)
When ORX ransomware finish encrypting the victim file then it show pop-up message to victim as shown below:
It also create a file on desktop regarding the payment instruction.Select bitcoin as a payment method to withdrawn money anonymously from account.