Extorting bitcoin using ransomware is a profitable business. One Google report pegged a group of extortionists making $25 million in two years. Now, at least one Tor proxy service is trying to get its cut, as it was caught diverting victims’ payments to its own wallets.
Ransomware extortionists ask their victims to pay in bitcoin, and to use the deep web so they can escape authorities. When a ransomware victim doesn’t want to or isn’t able to install the Tor browser, used to access the deep web’s .onion domains, operators ask them to use a Tor proxy, such as onion.top or onion.to.
Tor proxy services allow users to access .onion websitse using a regular browser such as Google Chrome, Edge, or Firefox, simply by adding the .top or .to extension to the end of any Tor URL. These services have been getting increasingly popular among ransomware authors. So much so, a few strains even added alternative URLs to help victims pay using these services.
According to cybersecurity firm Proofpoint, at least one of these services, onion.top, was caught replacing the ransomware’s bitcoin payment address with its own. Per the researchers, the service was secretly doing this, and has seemingly netted over $22,000 from the move.
Researchers discovered onion.top was doing this after noticing a ransomware strain dubbed LockeR warned users not to use the service as it was stealing its bitcoin. The warning reads:
“Do NOT use onion.top, they are replacing the bitcoin address with their own and stealing bitcoins. To be sure you’re paying to the correct address, use Tor Browser.”
Onion.top is altering bitcoin wallet addresses of at least three different ransomware strains: LockeR, Sigma, and GlobeImposter. The wallets are seemingly manually configured, on a per-site basis. The low amount earned suggests that the move either wasn’t that successful, or that wallets aren’t always replaced.
Ransomware Authors are Countering the Move
According to reports, the authors behind affected ransomware strains are countering onion.top’s move in a variety of ways. Most are simply trying to get users to skip Tor proxy services altogether, and just pay using the Tor browser. Others, such as MagniBer, decided to split the bitcoin payment address shown to the victim across different HTML tags, to avoid automatic replacement.
Victims who decide to pay the ransom and end up sending their funds to the Tor proxy service aren’t paying the ransomware extortionists, and won’t likely see their files decrypted as, in the extortionist’s eyes, the ransom was never paid.
Proofpoint’s researchers stated:
“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims.”
Featured image from Shutterstock.