Tor proxy service caught stealing Bitcoin ransoms from ransomware creators
Security company Proofpoint has recently noticed that one Tor proxy service has been stealing Bitcoin from ransomware creators by replacing wallet addresses on payment websites, essentially making the situation worse for the ransomware victim. So far, they have stolen $22,000 in ransom money, but since creators are aware of this scheme, they are unlikely to steal more. However, while some may rejoice that ransomware-spreading crooks are getting a taste of their own medicine, a couple of hundred victims just wasted the money they intended to use for file decryption.
What is a Tor Proxy?
Generally, when users infect their computers with ransomware, they are asked to download the Tor browser, which allow crooks to remain anonymous. They are asked to access certain sites on Tor where they can submit payments and get a decryptor. However, the majority of people do not use Tor, nor do they know how to download/install it. To make it easier for victims to pay the ransom, criminals allow them to use a Tor Proxy.
A Tow Proxy is essentially a regular website that allows users to access Tor websites without having to use the Tor browser. Thus, ransomware victims can access Tor domains using their regular browsers, such as Internet Explorer, Google Chrome or Mozilla Firefox. This has become a popular method among ransomware creators because over-complicating the payment process could mean less people pay the ransom.
However, as the cybersecurity firm that pointed out the theft has noted, “this gives the Tor proxy operators unlimited power to replace content, acting as a man-in-the-middle”.
Around $22,000 stolen
Proofpoint first noticed the behavior on a payment website for the LockeR ransomware. The website displays a clear message to not use the Tor proxy onion.top for payment, as they are stealing the Bitcoins.
“Do NOT use onion.top, they are replacing the bitcoin address with their own and stealing bitcoins. To be sure you’re paying to the correct address, use Tor Browser,” the message warns.
According to the firm, the proxy operators, in this case the onion.top, replace the original wallet address on the website with their own, and victims of ransomware unknowingly transfer the money into the thief’s account.
“Operators of this proxy are surreptitiously diverting Bitcoin payments from ransomware victims to their own wallets by modifying in transit the source of web pages used for payment, replacing the ransomware author-controlled Bitcoin addresses with their own,” Proofpoint explains.
Based on the amounts stolen, which are around $22,000, it does not seem that the theft attempts were very successful, indicating that the Tor proxy service is not that widespread among ransomware distributors/creators, or the scheme was noticed very quickly.
“We examined at the replacement Bitcoin addresses to determine how much may have been stolen by the proxy operators. The Bitcoin address 13YFjj7WqWY5Un7Pgw1VdrpceHpn5BTZdp has had a total of 0.15 BTC transferred to it ($1,661 at the time of publication). The Bitcoin address 1Q64uWnKMUoZ6G7BSrH77xdrewMou2zGpU has had a total of 1.82 BTC transferred to it ($20,154 at the time of publication),” the firm notes the stolen amounts from LockeR, and GlobeImposter and Sigma.
The Tor proxy service is not redirecting payments for all ransomware, but it is likely that malware creators will avoid using the services just to be on the safe side. The affected ransomware creators are now deleting the Tor proxy links and instead, ask victims to download the Tor browser and access the payment websites using it.
Ransomware victims end up losing both the money and their files
While it is true that ransomware creators are harmed by this, the victims of ransomware are put into an even more difficult situation. They lose both their money and their files because as far as creators are concerned, they did not get the money for the decryptor. And we highly doubt they will be generous enough to provide a decryption method for free because of this situation.
In general, it is usually recommended that users do not pay the ransom, as the whole process is rather unreliable. Not only is file decryption not guaranteed, as crooks could just take the money, paying also supports the already very profitable business, thus attracting even more people to it. If everyone took the time to back up their files, they would not be forced to pay the ransom. Backup is especially important nowadays, with some many threats lurking around everywhere.
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.