back to article Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery

Cybercriminals are using Tor proxies to divert ransomware payments to their own Bitcoin wallets. Ransomware scammers have long directed victims to payment portals on the Tor network. For those who do not want to or cannot install the Tor browser necessary to pay their ransoms, operators generally direct victims to a Tor proxy …

Anonymous South African Coward
Silver badge

Just plain nasty.

This post has been deleted by its author

}{amis}{
Silver badge
Devil

LOL

Couldn't happen to a nicer bunch of ~@$%'s

Put all of the ransom ware creeps in a room with a bucket of half bricks the one that crawls out at the end gets arrested!

The Nazz
Silver badge

Re: LOL

Charlies.

Half charlies.

No idea why that's just what they were properly called around here, still are in fact.

beerfuelled
Unhappy

Re: LOL

Of course they're not actually stealing it from the ransomware scum but from the victim, who won't get their files decrypted and will likely have to pay twice.

chivo243
Silver badge

Old saying

No honor among thieves!! None! ;-}

}{amis}{
Silver badge
Devil

Re: Old saying

As a member of the IT community and thus generally lumped in with the aforementioned thieves i resemble that comment.

Psssst do yo wanna a AlphaStation premio stuff going cheap.

Anonymous Coward
Anonymous Coward

Damn

They found it!

Also did you guys really have to publish this? Now the others will know also :-(

Oh well it was fun while it lasted!

YourNameHere

Twice screwed

What about the real victim here? The parent trying to get their kids term paper back is not doubly screwed as they still will not get their stuff back.

Gene Cash
Silver badge

Re: Twice screwed

For those that lost their term paper or vacation pictures, Confucius says:

"There are those that make backups, and those that have yet to lose irreplaceable data."

"You don't convince family members to take periodic backups. Repeated, tragic data loss convinces family members to take periodic backups. Same as everyone else."

"If it's in an online NAS, it's not a backup."

}{amis}{
Silver badge
Unhappy

Re: Twice screwed

I will admit stuff like this makes me feel bad.

I happily bash companies that dont take proper precautions against this kind of thing, but the industry has failed the average jo off the street who just wants to send some email.

These are the people who suffer for the IT industries failures.

gnasher729
Silver badge

Re: Twice screwed

"but the industry has failed the average jo off the street "

That's why Apple has Time Machine.

billdehaan

Re: Twice screwed

I cannot agree more with backups.

Though most of my friends are engineering types, many are married to/derived from/have spawned mundanes. It happens in the best of the families.

I cannot count the number of quintuple levels of backups that have been casually tossed aside, reformatted, lost, or otherwise rendered inoperative, only to have absolute delirium descend when the inevitable occurred and the drive crashed.

I've had users near-hysterical because a laptop drive died (bad MBR and a heating issue to boot, very nasty), taking over a decade of irreplaceable data with it. Through a miracle of boot sector fiddling, and spraying freeze-mist at timed intervals to keep the drive at just the right temperature to not overheat not shut down, we managed to get it going, just barely.

Of course, our attempts to immediately scrape the essential data off to a backup were stymied as the user (who outranked us in the hierarchy by several levels) waved us aside, because she needed to work on the drive RIGHT NOW.

Fortunately, my co-worker, more savvy than I was, had prepared for this. He had a printed-out form ready for her to sign. It stated that she was fully aware the drive was dying, that using it prevented data from being backed up, and that her insistence on using it meant all data could be lost irretrievably.

She signed it, shooed us aside, and went to work on the "fixed" drive. Two hours later, the phone call came in, and no amount of freeze mist, holy water, or the like could put humpty dumpty back together again.

Fortunately, the business critical data had been scraped off (we'd insisted on that), the only things that had been lost were all of the personal things that were on the laptop. Of course, she tried to then escalate the issue because the "useless" techs had not saved her critical work. This apparently included her daughter's thesis, which raised the question of why her work laptop was being used by her daughter in the first place. My co-worker presented the form she had signed, taking full responsibility, and we were lucky enough to work for sane management, and the matter was dropped.

But to this day, I'm certain that that user blames her data loss on us, "bad luck", and learned absolutely nothing from it.

You can cure ignorance, but you can't fix stupid.

Mayday
Silver badge
Gimp

Re: Twice screwed

"That's why Apple has Time Machine."

I use Time Machine, and it is good at what it does.

Time Machine would not prevent the average ransomware attack because they also target connected drives, such as a Time Machine backup, regardless if it is directly connected or mounted over a network.

Bronek Kozicki
Silver badge
Alert

Re: Twice screwed

You mean, Time Machine snapshots are not immutable?

I am starting to feel lucky, as I do not use Apple products ...

This post has been deleted by its author

Mr Han

Re: Twice screwed

This is called 'taking responsibility for your own actions' which, in many areas of modern life, seems to have been forgotten.

steve 124

And Apples don't get viruses in 3....2.....1....

@gnasher, what took so long for you to say Apple products don't suffer from this sort of thing?

If we'd just all switch to Apple, this whole industry (heck even the entire security sector) would just fade away!

LOL, I'm sorry that just cracks me up every time someone claims it. Anyone want to speculate whether the Apple Gods will even tell their users their CPUs also suffer from Meltdown and Spectre? I'm sure they engineered around that issue when designing their own custom CPUs... oh wait, dang it... INTEL!!! You Bastards!

druck
FAIL

ObfustiNOT

The attempts to obfuscate the Bit-coin address reminds me of the attempts to stop spammers harvesting email addresses from web pages back in the 90's. Didn't work then, won't work now.

J. Cook
Bronze badge
Trollface

Go industrial grade or go home

Netapp snapshots are immune to being corrupted by ransomware, primarily because while it *does* act at a shadow copy to a mundane windows machine, it's an entirely different beast behind the curtain.

While I've not actively *tested* it (no safe environment *to* test in ATM), As long as the ransomware is not executing directly on the file server, I want to say that shares using shadow copies are safe as well. YMMV, not actively tested, do not take this as ironglad, no warrenty implied, etc etc etc.

Anonymous Coward
Anonymous Coward

Ah, life is hard..

Being a crook... Can never get a break, eh?!!!

wallaby
Bronze badge

Re: Ah, life is hard..

could try for president of the US

works for some.... just saying.

Anonymous Coward
Anonymous Coward

Re: Ah, life is hard..

STFU Wally, Lib.

wallaby
Bronze badge

Re: Ah, life is hard..

pfft

rednecks

BugabooSue

Beware Management Privilege...

We have a local offline (not connected to the Internet) network backup system, multiple write-once protected physical backup hardrives (in a father, grandfather, great... all the way back to the dinosaurs), and I guarantee that at some point, some idiot will screw the whole lot into Data Hell.

Our backups have (frequently tested) backups. Our servers are fully-patched, mirrored and protected physically by sharks with lasers. The servers spend more processor time searching for Nasties than they do serving, but it will inevitably happen that some Twot (last April it was the tight-fisted Financial Director in charge of IT spend - the delicious irony!) who brought the lot to a grinding halt by using his personal laptop on the local ISOLATED storage intranet.

This was after his “son” (yeah, right!) had been caught using it at home to surf every grubby porn linknknown to man or beast - literally. I saw the search history and browser caches!!

Not saying what he did to the system, but the damage went back through nearly 3 months of business data before we found the root cause.

That vulnerability attacked was completely outside what any of us had envisaged (he was using the servers to save his, er, “Son’s” porn collection).

We now have a new Finance Director. SHE doesn’t stand for any shit - from us, or anyone else. We get the money and resources we need, and hopefully the company doesn’t have to suffer this again.

It will happen again. To say it won’t is idiotic, but at least we know that the backup system works - The network was purged and refreshed overnight and we lost nothing of importance.

I love the Easy Life. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018