The only thing more dangerous than cryptolocker-type ransomware in the hands of a highly skilled hacker is the same ransomware offered as a service and made available to the general public. Similar to the private TOX RaaS (Ransomware as a Service) platform discovered in August, ORX-Locker is a free-to-use web platform where anyone can create and download malware that will encrypt a victim’s file system and demand payment for recovery. This is one of the first public RaaS sites we’ve seen, with the majority of them discovered in the past private and/or requiring approval of new members.
The sign up process for ORX-Locker is completely anonymous (no email required) and the site will generate a custom malware executable for anyone, at no charge. Like TOX, they collect a percentage on the backend when victims remit payment and allow you to set your own ransom amount. This puts malware development, traditionally requiring the specialized skill of writing code, in the hands of anyone with the motivation to do wrong. While the delivery of the payloads is still something the attacker is responsible for, that requires a much lower technical prowess that the authoring of ransomware. Even in the event that the attacker has absolutely no experience whatsoever with computing other than web browsing, there are plenty of sites that facilitate or even perform the payload delivery for them.
Impact on you
- Ransomware, in itself, presents a great threat to anyone, especially organizations that store payment and other sensitive information. Once a machine is infected, unless you have a recent backup, its data is essentially irrecoverable.
- If you end up having to pay the ransom, there is no guarantee the data will actually be decrypted. Even if the data is successfully recovered, the downtime you experience as a result of the infection could result in a significant loss of revenue.
- ORX-Locker (and other RaaS platforms) makes ransomware development, once a highly specialized skill, available to anyone with ill intent. This could increase the occurrence of these attacks exponentially.
How AlienVault Helps
LevelBlue Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then analyzing it to extrapolate expert threat intelligence. The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can identify activity related to this exploit:
- System Compromise, Trojan infection, Orxlocker
For further investigation into ORX-Locker and its ransomware development platform, visit the Open Threat Exchange (OTX) and see what research members of the community have done:
https://otx.alienvault.com/pulse/561da6314637f21ecf2a8dea/
