Tor Proxy Double-Crosses Ransomware Victims and Operators

In April 2017, Symantec published a research report according to which about 47% of victims who pay the ransom after a ransomware infection never get their files back. Now, you might be all bitter about it and say that that's what they deserve for trying to do business with the cybercrooks, but let's take a look at the situation from another perspective. You wake up one day, and all your family photos, videos, and important documents are gone. You don't have a backup, and you really don't want to lose the precious data. For some people, paying the ransom is the only alternative.

And truth be told, while the worst ransomware operators just want to make off with your bitcoins and leave you empty-handed, a lot of them will make good on their promise and give you a working decryptor once the payment goes through. But what if the honest (or, more precisely, not completely dishonest) ransomware operators get swindled as well. It seems such a thing is happening right now, and unfortunately, the scheme (detailed by Proofpoint researchers on Monday) affects both the ransomware authors and the victims. Here's how it works.

As you probably know, after encrypting your files, the ransomware executable will display a ransom note telling you how to get them back. Usually, there's a payment page which, for obvious reasons, is hosted on the anonymous Tor network. To get to it, you need to either install the Tor browser or go through one of the Tor proxy (a.k.a. Tor gateway) services available to Clearnet users.

For some, installing a Tor browser will be easy, but others might find it challenging, and there are ransomware operators that actually encourage the use of Tor proxies. One of the popular Tor gateways is onion[.]top, and its developers have decided to make a few bucks by robbing ransomware victims without the hassle of running a ransomware operation.

The thing with Tor proxies is that the people who operate them are practically in the middle, i.e., they handle the traffic between the victim's PC and the payment page, and there's nothing to stop them from altering it. That's why, when victims visit a payment page through onion[.]top, they might not get to the real payment page. Most of it is the same – the instructions, the ransom demand, the email they need to contact once they process the transaction, etc. The only difference between the real Tor-hosted payment portal and the fake one served by onion[.]top is the cited Bitcoin wallet.

Example of Tor-hosted payment portal screenshot - Source: Proofpoint.com

As a result, instead of paying for a decryptor, the victims send money to a wallet controlled by the people running onion[.]top. The ransomware operators don't get their money, and the victims don't get their files back.

It seems that the scheme has worked. Proofpoint noted that the payment pages of Sigma, GlobeImposter, and LockeR are displaying wrong wallets when viewed through the onion[.]top proxy, and the ransomware authors are trying to stop the scam by placing warnings and modifying the HTML code so that the wallet can't be automatically swapped. Nevertheless, the wrong Bitcoin wallets present on Proofpoint's screenshots have received just over 2BTC since they were created, though it must be noted that nobody can say how much of this is connected to the altered payment pages.

The phrase "There's no honor among thieves" might be a cliché, but it perfectly illustrates the situation. "Back up your data" is also slowly but surely becoming a cliché, but as you can see, heeding the advice could certainly save you a lot of trouble.