Extortion viruses create a lot of problems and cost huge amounts of money to both home users and businesses. This is a form of malicious software that encrypts files on a computer or sometimes locks computers. Victims can only restore access to their data or system if they pay a ransom to criminals.

Distributors of extortion viruses have recently suffered from other similar quick-money-lovers who manipulated the system used by the first group of hackers and stole ransom payments provided by virus victims.

For some of us, this may seem like a small problem – crooks robbed other crooks. But this case did not allow ransomware victims to unblock their encrypted files, as distributors of malicious software did not receive their ransom payments. This case is considered the first of its kind.

How did it happen?

Cybercriminals do not trust VPN and use the Tor browser that they believe provides decent online anonymity. While almost all ransom notes instruct victims to download and install the Tor browser, others only provide links to Tor proxies that translate Tor traffic into normal web traffic.

The latter method is very important for hackers who seek to simplify the payment process for their victims as much as possible. For the average victim, it is much easier to follow the link than download an additional program.

Operators of the Tor proxy service called Onion.top at some point realized that their Tor gateway could be used to change the addresses of cryptocurrency wallets. They scanned their service in search of Bitcoin addresses and secretly substituted them with their own addresses.

Security researchers found that victims and operators of several ransomware strains, including notorious GlobeImposter, Sigma, and other suffered from Onion.top manipulations.

Ransomware authors detected the rogue activity of Onion.top and started to instruct their victims to avoid it and use only Tor browser instead.

As noted above, recent victims, such as, for example, the state of Alabama, are the only losers in this scenario. They paid thousands of dollars in Bitcoins, but did not get their files back as distributors of crypto-viruses did not receive their ransoms.