Extortion bitcoins using virus-the extortioner is quite a profitable business.
According to reports Google, one group of such viruses managed to steal $ 25 million for two years. Now at least one proxy service for Tor browser trying to get their share. It was found that the service redirects the payments to the victims of the ransomware on their wallets.
Viruses-ransomware demand payment in bitcoins, while using the deep network to avoid governmental control. When the victim of such a virus does not want to or cannot install Tor browser used to access the domains .onion deep network operators are asked to use a proxy service for Tor like onion.top or onion.to.
Proxy Tor gives users access to web sites .onion to with conventional browsers like Google Chrome, Firefox or Edge, just by adding extensions .top or .to at the end of any URLTor. These services are very popular among the authors of the ransomware. With it to such an extent that several of them added alternative URL for victims when you pay using these services.
According to Proofpoint, dealing with cybersecurity, it was discovered that at least one of these services is the onion.top – replaced the address of the viruses for payment in bitcoins. According to the researchers, the service just did it anyway and the result was over $ 22,000.
The researchers found that this behavior is onion.top, when I noticed the warning of one of the ransomware called LockeR not to use the service because it steals bitcoins. The warning message indicates:
“Don’T use onion.top, they replace the address for payment on their own and steal bitcoins. To make sure that the payment use Tor browser”.
Onion.top modifies the addresses of bitcoin wallets, at least three different ransomware LockeR, Sigma and GlobeImposter. Purses are configured manually based on each site. Small earnings suggests that the action was unsuccessful, or that the wallets are replaced not always.
The confrontation of the authors of the ransomware
According to reports, the sponsors of the victims of ransomware is opposed to the onion.top different ways. Most just tell the users not to use proxy services Tor and to pay through the Tor browser. But some, like MagniBer, decided to divide the address for payment in bitcoin, pointing to victims in different HTML tags to avoid automatic replacement.
Victims who decided to pay the ransom, but their funds were sent to the proxy the Tor, do not pay the virus-extortionists. So their files will not be decrypted because the extortionists did not get the ransom.
Researchers at Proofpoint said:
“It’s not necessarily a bad thing, but this raises an interesting business problem for the cyber criminals who create these viruses, and practical problems for victims of these viruses.”