E-Brochure info@us-council.com
US Council
  • Home
  • Services
    • Security Testing Services
    • Mobile Phones
    • Proactive Services
    • Incident Response
    • Forensics
    • Test Frameworks
    • Compliance Audit
  • Products
    • US-DR-Suite
    • US-Forensic Field Kit
  • Training
    • Cybersecurity Professional
    • Ethical Hacking & Prevention
    • Network Penetration Testing
          Expert
    • Network Security Expert
    • Digital Forensics Expert
    • Mobile Forensics Expert
    • Wireless Security Expert
    • Certifications
    • Certificate Verification
    • Webinar
  • About Us
  • News
  • Contact Us
  • News

No honour among thieves: Hackers using Tor proxy site to steal ransomware operators' bitcoins

30 January 2018 India Ashok
No honour among thieves: Hackers using Tor proxy site to steal ransomware operators' bitcoins

Ransomware operators have begun warning their victims to not use the tor proxy sites for making ransom payments.

Bitcoin's recent surge in value appears to have ramped up hackers' interest in the digital currency more than ever, with some even resorting to steal from each other. Security experts have observed a new campaign, which involves hackers using a Tor proxy site to steal Bitcoin payments from various ransomware operators.

While ransomware operators often demand victims to pay using bitcoins that require them to visit a Tor site, most users often do not have a Tor browser installed. In some cases, ransomware victims choose to use Tor proxy sites to make ransom Bitcoin payments. Some hackers operating various different strains of ransomware also suggest that victims use Tor proxy sites to make payments. However, using such sites provides the operators of the site "unlimited power" to replace content, acting as a man-in-the-middle.

Security researchers at Proofpoint discovered that operators of the Tor proxy domain – "onion[.]top" – have been secretly diverting bitcoin payments made by ransomware victims. The hackers surreptitiously changed the bitcoin address controlled by the ransomware operators and replaced it with an address of their own. This allowed the hackers to steal from both the victims as well as the operators of the ransomware.

"The proxy operators are not only preventing ransomware victims from decrypting their files by paying a ransom but are also in effect stealing from the threat actors distributing ransomware. This appears to be the first scheme of this type affecting both ransomware victims and operators," Proofpoint researchers said in a blog.

According to Proofpoint researchers, the onion[.]top site for the LockerR ransomware, the GlobeImposter ransomware and Sigma ransomware, all had a different Bitcoin address to the one displayed on their Tor sites. The operators of the Tor proxy site have already stolen over $20,000 (£14,236) in bitcoins. However, sophisticated ransomware authors already appear to be aware of the new theft campaign and have begun warning their victims to not use the onion[.]top site to make payments.

For instance, LockerR ransomware operators, who were previously unaware of the campaign and even included onion[.]top site links in their ransomware note, have since deleted the links and added a warning in red text for the victims. The operators of the Magniber ransomware now split their Bitcoin address in four parts in the HTML source code, in efforts to stop hackers from replacing their Bitcoin address. Meanwhile, the authors of the GlobeImposter ransomware urge their victims to use the Tor browser while making payments.

"While it appears that operators of onion.top have not stolen a large number of bitcoins from ransomware victims yet, because many victims use Tor proxies instead of installing the Tor browser, the potential impact is high for victims attempting to pay the ransom and decrypt their files. Ultimately, this type of activity undermines the somewhat dubious trust relationship that underpins the ransomware business.

"While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms," Proofpoint researchers said. "This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users."

  • Security Testing Services
  • Mobile Phones
  • Proactive Services
  • Incident Response
  • Forensics
  • Test Frameworks
  • Compliance Audit

Popular Posts

  • Cybersecurity in the Biden Administration: Experts Weigh In
  • Worst Malware and Threat Actors of 2018
  • Destructive Cyberattacks Spiked in Q3
  • A Cybersecurity Weak Link: Linux and IoT
  • A False Sense of Security
  • 4 Traits of a Cyber-Resilient Culture
  • Managing Data the Way We Manage Money
  • New Apache Struts Vulnerability Leaves Major Websites Exposed
Our Services
  • Security Testing Services
  • Mobile Phones
  • Proactive Services
  • Incident Response
  • Forensics
  • Test Frameworks
  • Compliance Audit
Quick Links
  • Certifications
  • Certificate Verification
  • About Us
  • News
  • Contact Us
Follow Us
2022 US Council. All rights reserved.