Ransomware: Now crooks are stealing bitcoin ransom payments intended for rivals

A Tor proxy service is being used by crooks to divert ransom payments to their own accounts at the expense of ransomware distributors -- and their victims, according to security researchers.
Written by Danny Palmer, Senior Writer

Video: Too mainstream for criminals, bitcoin is losing its ransomware appeal

Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals, who are hijacking the ransom payments before they're received and redirecting them into their own bitcoin wallets.

But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft, they are also preventing ransomware victims from unlocking their encrypted files -- because, as far as those distributing the malware are concerned, they never received their ransom payment.

Uncovered by researchers at Proofpoint, it's believed to be the first scheme of its kind, with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments, which victims of ransomware are attempting to send to their attackers.

The attacks take advantage of the way ransomware distributors request victims to use Tor to buy the cryptocurrency they need to make the ransom payment. While many ransomware notes provide instructions on how to download and run the Tor browser, others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of paying is as simple as possible for the victim.

However, one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy, and redirecting the payment into other accounts, rather than those of the ransomware attacker.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Proofpoint found it was indeed the case that when using the proxy, the bitcoin address in the ransom note was replaced, with one bitcoin address put in place for all of those who trying to use the proxy to pay the LockeR ransom.

Researchers also uncovered that the proxy can also redirect payments made by victims of other forms of ransomware, including GlobeImposter and Sigma. While the interception attackers used a different payment address to the one used with LockeR, the stolen ransom payments of GlobeImposter and Sigma victims are directed to the same, single address.


Tor Proxy providers are diverting ransom payments into their own pockets - at the expense of ransomware distributors and their victims

Image: iStock

While the amount of ransom payments stolen in this way can't be fully determined, analysis of bitcoin wallets known to be used as part of this scheme indicate the attackers currently hold around two bitcoins (currently about $21,850). It's entirely possible that this represents just a fraction of stolen ransom payments, if the attackers are withdrawing regularly from the wallets.

However, it appears that this ransom-theft scheme doesn't impact on all forms of ransomware. BitPaymer ransomware was found to be immune to having its bitcoin address changed in tests by researchers.

See also: No more ransomware: How one website is stopping the crypto-locking crooks in their tracks

Meanwhile, those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts, thus making it harder for proxies to find the address to change.

While the sums of bitcoin stolen don't represent a spectacular haul, the interception attacks do create problems for ransomware distributors -- and their victims.

The victims are the ultimate losers in this scenario. Not only are they paying hundreds or even thousands of dollars to in ransom demands, they're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors don't think they've been paid.

Recent and related coverage

New ransomware headache as crooks dump bitcoin for rival cryptocurrencies

The switch to new digital currencies will make life more difficult, according to one police chief.

UK firms 'stockpile' Bitcoin to pay off ransomware hackers

Ransomware attacks can cripple a business, leading to a rather sad trend in the industry.

What's next for ransomware?

Security experts warn of new threats on the horizon.


Editorial standards