2 min read

Bitcoin hijack steals from both ransomware authors AND their victims


January 31, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Bitcoin hijack steals from both ransomware authors AND their victims

Talk about having a bad day…

First you get hit with ransomware, demanding you send a Bitcoin payment to anonymous hackers

Then you realise that you don’t have a secure backup of your files, so you’ll have to pay up to have any hope of getting your files back.

And finally, after you have worked out how to buy yourself some Bitcoins online, and as you are attempting to pay the hackers their ransom… the payment gets diverted to someone else entirely.

In short, your files are still encrypted, and you’ve lost all your money.

That’s the ultimate bad-day scenario being described by security researchers who claim to have identified a scam that both steals from ransomware authors and their victims.

Here’s the background.

It’s not at all unusual for ransomware to present victims with a demand that the ransom be paid via a Tor .onion site on the dark web. Of course, the typical victim of ransomware has probably never been on the dark web, and probably doesn’t have the first clue about how to install the Tor browser.

As a result, they might use a Tor proxy instead. Tor proxy services act as a man-in-the-middle, allowing anybody to simply enter a .onion address into a website – or add a suffix to the URL such as “.to” or “.top” – to have their request completed, with no need to install special software.

Of course, you are putting an enormous amount of trust in the hands of the Tor proxy service that they are not meddling with the information you are seeing – or indeed the data that you are sending.

Fascinatingly, security researchers say that they have uncovered evidence that at least one Tor proxy is interfering with ransomware payments, effectively stealing from the ransomware’s authors and victims alike. According to Proofpoint, ransomware payment webpages are being the secretly altered when viewed via the Onion.top Tor-to-web proxy in order to display a different Bitcoin address.

Ransomware such as Sigma, GlobeImposter, and LockeR have all been identified as suffering from a sneaky switcheroo of Bitcoin wallet addresses via the proxy, giving a different payment address than when the same page is viewed via the real Tor browser.

Perhaps it’s no surprise then that some ransomware is actually warning its victims not to use Onion.top.

As always, the best way to avoid the effects of ransomware is not to have your computer or smartphone infected in the first place. Be sure to follow Hot for Security’s tips for reducing the ransomware threat before you become the next victim.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like