ORX locks all of the user’s files and demands a payment. The Ransomware is available on a Darknet website.
Distribution method is not clear yet. ORX may be distributed via unsafe browsing, corrupted attachments, drive-by downloads, etc.
The ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.
The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.
It also changes proxy settings in windows.
http://sensorstechforum.com/remove-orx- ... ce-attack/
http://www.cso.com.au/article/583531/or ... l-emerges/
Any samples would be much appreciated.
Distribution method is not clear yet. ORX may be distributed via unsafe browsing, corrupted attachments, drive-by downloads, etc.
The ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.
The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.
It also changes proxy settings in windows.
http://sensorstechforum.com/remove-orx- ... ce-attack/
http://www.cso.com.au/article/583531/or ... l-emerges/
Any samples would be much appreciated.
