January 30, 2018 at
It’s no secret that cryptocurrencies have been hot property among hackers. As the value increased and reached record heights in the last few months, hackers have become increasingly adept and innovative in exploiting the system for their own gain. However, in an unexpected turn of events, hackers are now exploiting each other in the new digital rat race.
Generally speaking, during a ransomware attack that demands bitcoin payments, hackers demand that the sum is paid using a Tor site. However, since most victims do not have the Tor browser readily installed, they often opt to use a Tor proxy website to conduct the transaction. However, using a Tor proxy website does have its downfalls, such as the fact that the site administrators have can yield unlimited power in the website, such as serving as the man-in-the-middle or by simply replacing content.
The latest trend was discovered by the cybersecurity firm, Proofpoint after researchers observed that the site administrators from the website, “onion[.]top, have been squirreling away bitcoin payments made by ransomware victims to the campaign managers. The site administrators merely replaced the bitcoin address of the ransomware campaigners with their own. In this way, the hackers stole from both the victim and peers from the hacking community.
In a blog post, researchers note that using this technique, the proxy site administrators is preventing both the ransomware hackers from accessing their funds as well as the victims from accessing their encrypted files. The researchers stated that this is the first recorded instance of a technique of this kind.
According to the researchers, the specific proxy site served as tools for several ransomware campaigns such as Sigma, LockerR, and Globelmposter. Interestingly, all ransomware campaigns had different bitcoin addresses than those shown on their respective Tor sites. To date, the responsible website administrators have stolen a total of $20,000 worth of bitcoin.
Surprisingly, most ransomware campaigns seems to be already aware of this emerging trend, and some have explicitly warned their victims to refrain from using the onion[.]top website to conduct their transactions.
Managers from the LockerR ransomware campaign formerly added links to the onion[.]top website in their ransomware note, however, they have recently deleted these links and included a visible warning that urges victims to refrain from using this site. In addition, managers from the Magniber ransomware campaign have their bitcoin address in four using HTML source code, ostensibly to prevent similar instances from taking place. Globelmposter ransomware managers have asked victims to only use the Tor browser for conducting payments.
The Proofpoint researchers add that while the Tor proxy site administrators have only stolen a relatively small amount of bitcoin, the threat poses the potential danger as the majority of ransomware victims prefer to conduct their transaction through proxy sites instead of the Tor browser.
The researchers added that the main concern here is the added risk for victims who are already plagued with a precarious situation such as having their files encrypted. In addition, this latest instance perhaps highlights the growing desperation in the hacking community to gather a reasonable amount of cryptocurrency that they would now stoop to stealing from their own peers.