Ransomware distributors and other cybercriminals expecting an easy payday are having their illicitly obtained “earnings” stolen by likeminded individuals, who are hijacking the ransom payments before they are received and redirecting them into their own cryptocurrency wallets. At first glance, this may not seem like a huge problem — attackers getting a taste of their own medicine in becoming victims of cyber-theft themselves. But these attacks are also preventing ransomware victims from unlocking their encrypted files, because, as far as those distributing the malware are concerned, they never received their ransom payment.
Ransomware is a huge problem for internet users across the globe. It’s a form of malicious software —malware — which encrypts documents on a computer or across a network. Victims can often only regain access to their encrypted files and/or networks by paying a ransom to the criminals behind the ransomware.
Uncovered by researchers at Proofpoint, this scheme is believed to be the first of its kind. So how are these attacks actually happening? Cybercriminals are using a Tor proxy browser (Tor is a web browser designed for anonymous web surfing) to carry out middle-man attacks, stealing the cryptocurrency payments the victims of ransomware are attempting to send to their attackers.
The attacks take advantage of the way ransomware distributors have victims use Tor to buy the cryptocurrency they need to make the ransom payment. While many ransomware notes provide instructions on how to download and run the Tor browser, others provide links to a Tor proxy, regular websites that translate Tor traffic into normal web traffic (so the process of paying is as straightforward as possible for the victim).
What’s been happening is one of the Tor gateways being used is altering cryptocurrency wallet addresses in the proxy, and redirecting the payment into other accounts, rather than those of the ransomware attacker. Proofpoint researchers uncovered that the proxy can redirect payments made by victims of several forms of ransomware, including LockeR, GlobeImposter, and Sigma.
As noted above, the victims, like the state of Alabama, are the ultimate losers in this scenario. Not only are they paying thousands of dollars in ransom demands, they’re not even getting their files back. These middle-man attacks mean the ransomware distributors don’t get the funds they demand from the victims and therefore don’t help said victims unlock their encrypted files.