For HomeFor BusinessFor Partners
Industry News
2 min read

Bitcoin hijack steals from both ransomware authors AND their victims

Graham CLULEY

January 31, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Bitcoin hijack steals from both ransomware authors AND their victims

Talk about having a bad day…

First you get hit with ransomware, demanding you send a Bitcoin payment to anonymous hackers

Then you realise that you don’t have a secure backup of your files, so you’ll have to pay up to have any hope of getting your files back.

And finally, after you have worked out how to buy yourself some Bitcoins online, and as you are attempting to pay the hackers their ransom… the payment gets diverted to someone else entirely.

In short, your files are still encrypted, and you’ve lost all your money.

That’s the ultimate bad-day scenario being described by security researchers who claim to have identified a scam that both steals from ransomware authors and their victims.

Here’s the background.

It’s not at all unusual for ransomware to present victims with a demand that the ransom be paid via a Tor .onion site on the dark web. Of course, the typical victim of ransomware has probably never been on the dark web, and probably doesn’t have the first clue about how to install the Tor browser.

As a result, they might use a Tor proxy instead. Tor proxy services act as a man-in-the-middle, allowing anybody to simply enter a .onion address into a website – or add a suffix to the URL such as “.to” or “.top” – to have their request completed, with no need to install special software.

Of course, you are putting an enormous amount of trust in the hands of the Tor proxy service that they are not meddling with the information you are seeing – or indeed the data that you are sending.

Fascinatingly, security researchers say that they have uncovered evidence that at least one Tor proxy is interfering with ransomware payments, effectively stealing from the ransomware’s authors and victims alike. According to Proofpoint, ransomware payment webpages are being the secretly altered when viewed via the Onion.top Tor-to-web proxy in order to display a different Bitcoin address.

Ransomware such as Sigma, GlobeImposter, and LockeR have all been identified as suffering from a sneaky switcheroo of Bitcoin wallet addresses via the proxy, giving a different payment address than when the same page is viewed via the real Tor browser.

Perhaps it’s no surprise then that some ransomware is actually warning its victims not to use Onion.top.

As always, the best way to avoid the effects of ransomware is not to have your computer or smartphone infected in the first place. Be sure to follow Hot for Security’s tips for reducing the ransomware threat before you become the next victim.

tags

Industry News

Author

Graham CLULEY

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

Right now Top posts

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read
3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns
Industry News Spam

3 in 5 travel-themed spam emails are scams, Bitdefender Antispam Lab warns

August 10, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

The Safety Formula - Episode 10: Human Intuition Meets Advanced Technology
The Safety Formula

The Safety Formula - Episode 10: Human Intuition Meets Advanced Technology
Bitdefender

April 17, 2024

2 min read
Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Industry News

Ukraine claims it hacked Russian Ministry of Defence, stole secrets and encryption ciphers
Graham CLULEY

March 06, 2024

2 min read
Crimemarket Taken Down by German Authorities
Industry News

Crimemarket Taken Down by German Authorities
Silviu STAHIE

March 05, 2024

1 min read

Bookmarks

loader