1. Home >
  2. Internet & Security

Ransomware Scammers Get Scammed Themselves By Tor Proxy Hack

Ransomware payments are being diverted via a man-in-the-middle attack, which is some sort of perverse justice. Still, it won't do the original ransomware victims any good.
By Ryan Whitwam
499979-ransomware-feature

Ransomware is some of the most devious and frustrating malware floating around the internet. These programs lock up your files with encryption and threaten to delete them unless you pay a cryptocurrency ransom. Victims are powerless to thwart the attack, so many just pay up. Now, it's the scammers who are the victims of a clever ruse by even more devious online criminals. Ransomware payments are being diverted via a man-in-the-middle attack, which is some sort of perverse justice. Still, it won't do the original ransomware victims any good.

The new attack on scammers was spotted by security firm Proofpoint(Opens in a new window), which noticed a warning posted to a ransomware payment portal called LockerR. This service runs on the Tor network, a spiderweb of encrypted nodes across the world that can route traffic anonymously and host hidden services. This is where many scammers operate due to the relative safety compared with the open internet. The problem is that most Ransomware victims don't know how to access Tor. Therefore, scammers direct them to Tor proxies that can load a Tor service in a standard browser. That's where the scammers are being scammed.

According to the notice posted on LockerR, the onion.top Tor proxy has started redirecting Bitcoin payments from the ransomware makers to a different address. It just replaces the original Bitcoin wallet address with the one owned by the proxy operators. The payment portal encourages victims to use the Tor browser to connect to LockerR directly in order to ensure the Bitcoins make it to the right address. So far, about $22,000 worth of ransomed Bitcoins have been "stolen" from the people who were trying to scam innocent computer users.

The LockerR payment portal was first spotted in October 2017, and has since become an increasingly popular way for ransomware makers to collect their payments. The supposed deal is that once a user pays the ransom, they will get the encryption key to unlock their files. However, the payment won't get there if it's redirected by the Tor proxy and ends up in the wallet of the wrong criminal. Thus, the victim will be out the money and still won't get their files back. Of course, not all ransomware makers are sufficiently honorable to hold up their end of the bargain in the first place.

The best course of action is to never pay these ransoms and just make sure you've got backups of your important files. Let the scammers just scam each other.

Now read: 20 Best Privacy Tips

Tagged In

Ransomware Malware Tor Bitcoin Cryptocurrency

More from Internet & Security

A screenshot of Synthesia's "Expressive Avatar" builder tool.
Nvidia-backed AI Firm Launches Lifelike Avatars for Enterprise Users
By Adrianna Nine
Three examples of deepfakes created by VASA-1.
Microsoft Swears VASA-1 Deepfake Tool Isn't for Creating Deepfakes
By Adrianna Nine
Examples of posts with Meta's "Made with AI" label on them.
Meta Will Begin Labeling AI-Generated Content. Is It Enough to Combat Misinformation?
By Adrianna Nine
Close-up of the YouTube listing in the iPadOS App Store.
YouTube Cracks Down on Third-Party Media Players That Block Ads
By Adrianna Nine
Someone typing on a computer keyboard.
US Cybersecurity Agency Will Review Malware Samples Sent by the Public
By Adrianna Nine
Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up