Data Unit Blog

The relationship between TOR and ransomware

During your travels around the World Wide Web (or if you’re a House of Cards fan), you may have heard the TOR (The Onion Router) network of servers mentioned. This network was initially developed by the U.S. Navy as a way to anonymously browse the Internet. When used in that manner, the TOR network is a great concept and a lifeline for some users. However, for others, TOR is an enigmatic network with suspected links to hackers and other illegal activities.

In some countries, especially where people are under the control of strict government regimes and censorship, TOR can be crucial to sending and receiving important news. Unfortunately, over the years TOR has gained the reputation of being referred to as the “Dark Web.” This is mainly due to nefarious activities that can be hidden because of the anonymity it offers its users. One of these is the increase in TOR ransomware activity along the network.

The current version of TOR that we've all come to know is a software tool developed by the TOR Project, which is a nonprofit organization that receives most of its funding from the U.S. Government. You might think it would be counterintuitive for the government to fund such projects, especially in light of recent news, including claims that the government is keeping tabs on the internet activities of US citizens. However, the government realizes the importance of TOR for promoting democracy in oppressed nations.

How Does TOR Operate?

As its actual name suggests, The Onion Router uses "onion routing" to keep a user’s activity concealed. This is accomplished through encryption that takes place in the application layer of the TCIP stack, not once, but several times. The result is that the user’s information is safely encrypted within onion-like layers of insulation. This insulation makes it virtually impossible to track a user’s identity or where that user goes on the Internet when using the TOR browsers.

the onion network how does it work


Picture: How does TOR work

Unfortunately, the TOR network is not entirely foolproof. There always remains a slight possibility that an adversary could gain access and decrypt a user’s information. This often occurs through vulnerabilities that exist on the user’s machine, especially if they haven't kept up with the latest software updates. Such vulnerabilities can also lead to malware infections from less-than-stellar inhabitants of TOR.


Figure: TOR uses a routing method called Onion routing. Much like an onion, each message  is covered with layers of encryption.

Taking the Bad with the Good

While the original intent of TOR was all for the good of humanity, it has indeed become a playground for those who want to hide less savory activities. TOR activity frequently pops up in investigations concerning child pornography, illegal arms trading, and drug trafficking, as the bad guys use TOR to host websites that are only accessible by other TOR users.

Connection between TOR and Ransomware

The anonymity of TOR makes it the perfect place for hackers who want to hide behind its cloak. Hackers who use ransomware extort money from computer users who accidentally download this type of malware. Infection can occur when users surf the normal Internet, or when an infected email attachment is opened; it can be completely anonymous.

If a user’s computer has been infected by ransomware, it may be rendered useless, along with any other computers that exist in its network. Files on infected computers can be decrypted and rendered useless to the user(s). When a business has fallen victim to TOR ransomware, it could mean that important information has been lost. This could equate to a major security breach, in addition to a significant financial hit to the business. These targeted businesses may not always be able to rely on computer backups or other safeguards that were supposedly protecting their crucial information. This could leave them at the mercy of the hacker.

The anatomy of a ransomware attack

Anatomy of a ransomware attack

Types of Ransomware That Use TOR?

Once a user’s computer has been infected by TOR Ransomware, the tipoff that the hacker is hiding out on TOR is that part of the ransom message will include a link that ends with “.onion.” Often, the hacker will direct you to a TOR site where you’ll be required to pay for the decryption of your files. The problem is, once payment's been made, there's no way to trace to whom the payment was sent; the hacker could very well make off with the ransom and not decrypt the encrypted files.

Some of the types of ransomware that utilize TOR are:

  • CryptoWall
  • CryptoLocker
  • TeslaCrypt
  • TorrentLocker
  • CTB-Locker
  • Onion Ransomware

In desperation, you may wind up paying for tools that offer the promise of removing the ransomware from your computer, only to find out you've been victimized yet again. If you find yourself at the mercy of TOR ransomware, your best bet is to work with a professional to attempt to gain access to your files before resorting to paying a ransom.

Related topics you might like:

free Busines continuity template for ICT

Topics: Security ransomware