Video: Too mainstream for criminals, bitcoin is losing its ransomware appeal
Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals, who are hijacking the ransom payments before they're received and redirecting them into their own bitcoin wallets.
But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft, they are also preventing ransomware victims from unlocking their encrypted files -- because, as far as those distributing the malware are concerned, they never received their ransom payment.
Uncovered by researchers at Proofpoint, it's believed to be the first scheme of its kind, with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments, which victims of ransomware are attempting to send to their attackers.
The attacks take advantage of the way ransomware distributors request victims to use Tor to buy the cryptocurrency they need to make the ransom payment. While many ransomware notes provide instructions on how to download and run the Tor browser, others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of paying is as simple as possible for the victim.
However, one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy, and redirecting the payment into other accounts, rather than those of the ransomware attacker.
Proofpoint found it was indeed the case that when using the proxy, the bitcoin address in the ransom note was replaced, with one bitcoin address put in place for all of those who trying to use the proxy to pay the LockeR ransom.
Researchers also uncovered that the proxy can also redirect payments made by victims of other forms of ransomware, including GlobeImposter and Sigma. While the interception attackers used a different payment address to the one used with LockeR, the stolen ransom payments of GlobeImposter and Sigma victims are directed to the same, single address.
While the amount of ransom payments stolen in this way can't be fully determined, analysis of bitcoin wallets known to be used as part of this scheme indicate the attackers currently hold around two bitcoins (currently about $21,850). It's entirely possible that this represents just a fraction of stolen ransom payments, if the attackers are withdrawing regularly from the wallets.
However, it appears that this ransom-theft scheme doesn't impact on all forms of ransomware. BitPaymer ransomware was found to be immune to having its bitcoin address changed in tests by researchers.
Meanwhile, those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts, thus making it harder for proxies to find the address to change.
While the sums of bitcoin stolen don't represent a spectacular haul, the interception attacks do create problems for ransomware distributors -- and their victims.
The victims are the ultimate losers in this scenario. Not only are they paying hundreds or even thousands of dollars to in ransom demands, they're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors don't think they've been paid.
Recent and related coverage
The switch to new digital currencies will make life more difficult, according to one police chief.
Ransomware attacks can cripple a business, leading to a rather sad trend in the industry.
Security experts warn of new threats on the horizon.
READ MORE ON CYBERCRIME
- Ransomware: Why the crooks are ditching bitcoin and where they are going next
- Fake cryptocurrency scam delivers ransomware - and more malware when you pay up
- North Korea accused of stealing $25K in cryptocurrency [CNET]
- Ransomware: Is time running out for the biggest menace on the web?
- The evolution of ransomware: Get ready for more advanced social engineering tactics [TechRepublic]