Software which redirected Tor browser users to ransomware has been detected.
According to a statement by the Tor Project, several people had contacted it reporting that software had told them to install the Tor browser to access a website, which infected visitors with the Cryptolocker ransomware.
It said: “In this case, the authors of CryptoLocker set up a website which is only reachable by using Tor. That is why people are thinking that the software is somehow related to The Tor Project.
“In fact, CryptoLocker is unrelated to The Tor Project. We didn’t produce it, and we didn’t ask to be included in the criminal infection of any computer. We cannot help you with your infection.
“We, the people of Tor, are very sorry to hear that some individual misused the anonymity granted by our service. The vast majority of our users use Tor in a responsible way.”
Tom Cross, director of security research at Lancope, told IT Security Guru that ransomware authors directed their victims to install Tor because criminals want to protect their own identities. “They hide websites behind Tor where they can accept the payment of ransoms,” he said.
“The Tor network makes it hard for law enforcement to figure out where the computer is that hosts the website. However, these websites can only be reached through the Tor network, so the criminals have to talk their victims through the process of installing Tor and getting it running on their computers.”
Nick Jones, security consultant at MWR InfoSecurity, said that as far as it was aware, the site that users were instructed to connect to over Tor was not used as the infection vector, as the victims were already infected through other sites that they had visited on the wider internet or via malicious email attachments.
“As such, it’s unlikely that this attack was specifically targeting privacy-minded users, merely using an existing product designed to enhance privacy to protect the criminals behind the attack,” he said.
He said that it was common for malicious individuals to provide alternative, infected downloads of tools such as Tor or other major browsers and it is not uncommon for these to catch out unsuspecting users.
“However, as the Tor project website is the top hit for most Tor-related searches in most major search engines, this tends to catch the least technically minded users,” he said.
