Recently, there has been a string of attacks affecting some ransomware victims who pay their ransom in an attempt to regain access to their encrypted data. These ransom payments are being intercepted by a third party, ironcally turning the ransomware attackers into the second victim. As a result, the original ransomware victims are victimized a second time, as they won’t get their data back since the ransomware attackers never receive the ransom money.

So how do attacks like these even happen? The perpetrators of these man-in-the-middle attacks are Tor proxy service owners. But what exactly are Tor proxy services? To understand this, let’s first talk about the Tor network, the most famous darknet. Communication on Tor is very tough to trace, which is why cyber criminals like to use it to mask their online footprints. In the case of ransomware, attackers require victims to download a Tor browser in order to make ransom payments. However, many victims may find it tough to download these browsers, so attackers may simplify the process and require victims to use a Tor proxy service instead. These services allow users to communicate over the Tor network using a regular browser.

Security researchers at Proofpoint have recently discovered that some Tor proxy service owners have found a way to turn this to their advantage. These owners use the proxy service to search through the URLs being accessed, identify strings that appear to be Bitcoin wallet addresses, and replace them with their own wallet addresses. The specific ransomware families that have fallen victim to this type of attack are LockeR, GlobeImposter, and Sigma.

Cybercriminals who use ransomware aren’t taking this lying down, and most have simply eliminated the use of proxy services altogether. Some, like the attackers behind MagniBer, are splitting their Bitcoin wallet addresses into four shorter strings in the URL so that the proxy service owners cannot easily identify these addresses.

Researchers have tried to trace the amount held in these replacement wallets and found only 2 bitcoins so far. But it’s possible that this represents only a tiny fraction of the stolen ransom amount as this money is difficult to trace, and the attackers may have already used the stolen money. It’s unclear at this point whether these attacks are only a passing trend or will grow into something bigger.

Ransomware victims get the short end of the stick in such attacks as they end up paying the ransom but will never be able to recover their data. These attacks are yet another reason why we should never give in to ransom demands. Taking the appropriate preventive and remediation measures is the best way to deal with the threat of ransomware; giving in to an attacker’s demands, on the other hand, fits nowhere on the list of effective solutions.