Enterprising dark web cyber-criminals are stealing ransomware payments destined for rival black hats via a Tor proxy, according to new research from Proofpoint.
Ransomware-authors often advise victims to use a Tor proxy to complete payment to a specified Bitcoin address, as most users typically don’t have a Tor browser installed.
However, this workaround has proved to be the undoing of some.
Proofpoint spotted several cases where hackers are using the onion[.]top proxy to effect a kind of man-in-the-middle attack, stepping in to redirect payment to their own Bitcoin address.
On the LockerR ransomware portal there’s even a notice urging victims not to use the proxy, and instead download the Tor browser.
The security vendor also found similar attack techniques at work to redirect payments intended for the authors of GlobeImposter and Sigma ransomware.
Although the researchers only found around $22,000 in Bitcoin in these addresses, the scale of the operation may be far greater. The same proxy is not being used to redirect payments for all ransomware variants, however.
“Sophisticated ransomware operators appear to be aware of this behavior and are attempting to mitigate with ‘user education’ and technical workarounds,” explained Proofpoint.
“Magniber ransomware appears to combat Bitcoin address replacement by splitting it into four parts in the HTML source code, making it harder for proxies to detect the Bitcoin address pattern. GlobeImposter ransomware urges users to use the Tor browser and hides the .onion payment address from the victims. Instead of providing it as a link in ransom note, it is obfuscated in the note, and de-obfuscated at run-time when the user clicks a button.”
While it’s somewhat satisfying to see some ransomware-slingers get a taste of their own medicine, the latest tactic is also bad news for victims: if they’re unable to pay the ransom there’s zero chance they’ll get their files back.
“Ultimately, this type of activity undermines the somewhat dubious trust relationship that underpins the ransomware business,” Proofpoint concluded.
“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms.”
Over half (54%) of global organizations were infected with ransomware last year, according to Sophos.