Scammers steal payments from ransomware developers

by Jake Doevan - -

A new reason not to pay the ransom for ransomware developers

Scammers steal payments from ransomware developers

The growth of ransomware business is related to great profits. However, this illegal business might be in danger. Scammers launched man-in-the-middle attacks and used Tor proxies to steal paid ransoms. Hence, neither developers of ransomware get demanded Bitcoins, nor victims get file decryptor.

Victims of ransomware are usually asked to pay the ransom using Tor browser. However, they can also take advantage of the Tor proxy because this method does not require the installation of a browser. But the latest Proofpoint research shows[1] that the usage of proxy might no longer be an option due to the possible third-party interference.

According to the research, scammers use onion[.]top proxy in order to start man-in-the-middle attack. It means that attackers replace Bitcoin wallet address, given to the victim by ransomware developers, with their address. Hence, all the money gets into third-party's virtual pockets.

Scammers already collected around $22.000. However, ransomware developers started warning “customers” about this issue. Though, you should consider this newly discovered scam as another reason why you should not waste your money and pay the ransom.

LockerR developers were the first to warn about the issue

Authors of LockerR ransomware seems to be the first who suffered from the scammers trick. Previously, its ransom note included a direct .onion.top links in the ransom note. However, developers seemed to discover the problem and removed them.

Now their payment website greets users with a warning message:


Do NOT use onion.top, they are replacing the bitcoin addresses with their own and stealing bitcoins. To be sure you’re paying to the correct address, use Tor Browser.

However, Proofpoint analysis reveals that Globe Imposter[2] and Sigma ransomware were in the target eye of the scammers too. What is interesting that both ransomware’s Bitcoin wallet addresses were replaced with the same address that belongs to scammers. Meanwhile, in LockerR case, crooks used a different Bitcoin wallet address.

Not all ransomware businesses are in danger

Fortunately for the developers of ransomware, scammers are unable to disturb all transactions. It seems that scammers take advantage of only less sophisticated viruses which developers did not think about the possibility of wallet redirect problem.

Authors of more sophisticated cyber threats, such as BitPaymer[3] or Magniber[4] ransomware, protected their transactions. Creators of these viruses seem to thought of such possibility. For instance, Magniber ransomware split Bitcoin wallet address in the HTML source code.

However, developers of GlobeImposter fixed the problem too. They no longer provide a bold .onion link in the ransom note. This link is obfuscated and revealed only when a victim clicks on a “Decryptor” button.

This situation in the ransomware market should be another reason for victims not to pay the ransom.[5] Before, it was only a risky game whether criminals keep their word or not. But now third-parties might take the money and leave both parties without nothing quite easily.

About the author

Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions

References