Hackers have often used ransomware software to extort money from businesses and individuals.
First, they infect the system with a malware that encrypts the data files and documents, making it impossible for the victim to gain access to his or her own files.
Next, they demand the victim to install the Tor Browser, which gives them access to .onion domain sites on the deep web. Hackers instruct their targets to deposit money to a digital wallet, by clicking on a link at an online ransomware website.
Once the money has been transferred, the hacker releases the decryption keys to the target computer.
The TOR Proxy
The TOR Project has been around for a long time. It is VPN proxy service that allows internet users to connect to websites and systems though an anonymous network. The network is often used by hackers to anonymously hack into a system while keeping their identity safe.
The proxy allows users to get access to .onion websites while using a regular browser like Firefox or Google Chrome. They can do this by simply entering a .to at the end of a TOR URL. Ransomware hackers were using website with .onion extension to guide victims into paying money into their Bitcoin wallets.
Onion.Top Redirects Money into Their Own Account
According to a cybersecurity firm, Proofpoint, operators of the onion.top took advantage of the situation. They searched their systems for Bitcoin wallet addresses and then changed these addresses with their own Bitcoin address.
As victims of the ransomware attack deposited money into the addresses provided by their hacker, the money went into the account of Onion.top instead of the hacker. Research from Proofpoint suggests that Onion.top was able to pocket something like $22,000 by double-crossing the hackers.
The research from the security firm was later confirmed when they found a ransomware strain warning other users to stop using the service of Onion.top. Posters cautioned other hackers that the site operators were manipulating their wallet addresses and redirecting fund to their own accounts.
Hackers Take Counter Measures
It appears that LockeR was not the only ransomware strain that was affected by the tactics. Users confirmed that wallet addresses at GlobeImposter and Sigma had also been manipulated by onion.top although it seems that not every wallet address was tampered.
While some of the ransomware hackers did lose out on their payments, others have come up with new methods to keep the site operators from messing with their wallets. The majority is looking to switch to Tor browser and stop using Tor Proxy through a regular browser. MagniBer came up with a different kind of solution, opting to include HTML tags to the wallet address in hopes of deterring the site operators from gaining access.
Victims Were Left Standing
Perhaps the biggest losers in this whole affair were the victims of the ransomware hack. They paid the money into the Bitcoin wallets as directed by the hackers but never received their decryption keys.
Specialized anti-malware and anti-virus software can greatly increase the security of a system against such hacks. Websites like onion.top will always be looking at ways to scam people and being prepared with good virus protection software is the best defense anyone can get.
For assistance with file recovery and ransomware removal, please contact MonsterCloud – cyber security experts for a professional ransomware removal.