Why cybercrimes love these tools: TOR, Dark Web, Ransomware, and Cryptocurrency

How is TOR, Dark Web, Ransomware, and Cryptocurrency connected when it comes to cybercrime? Cyber criminals use The Onion Router (TOR) in combination with a Virtual Private Network (VPN) to hide their geolocation.

This provides the threat actor with anonymity and privacy, making their connection and identity in some cases untraceable. Cyber criminals use TOR to connect to the dark web where they exchange or purchase illegal goods. This could be hacking tools, drugs, ransomware tools, or even information about your organization. Armed with TOR, VPN, hacking tools, ransomware tools, and organization information they attack organizations to infect their systems with ransomware. Threat actors can also extort a business in the case that they are able to obtain PII or other confidential data on the Dark Web.

At a very high level once the hacker infects an organization system, they encrypt the organization data with ransomware. The encryption renders all data useless. They will also look for other vectors of attack such as deleting shadow copies and other backups they can compromise. The hacker then leaves a ransom note usually demanding payment in cryptocurrency like bitcoin.

I know now you are curious like I was to know more about: TOR, Dark Web, Ransomware, and Cryptocurrency. I have taken the liberty to do just that for you below.

What is TOR?

TOR is short for The Onion Router (thus the logo) and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously. Now, it’s a non-profit organization whose main purpose is the research and development of online privacy tools.

TOR is a free software program that you load onto your computer (like a browser) that hides your IP address every time you send or request data on the Internet. The process is layered with heavy-duty encryption, which means your data is layered with privacy protection. Then there’s the route your data takes as it travels to its destination: TOR will bounce your Internet requests and data through a vast and extensive network of relays (servers) around the world. That data path is never the same because TOR uses up to 5,000 TOR relays to send your data request. Think of it as a huge network of “hidden” servers that will keep your online identity (meaning your IP address) and your location invisible. By using TOR, websites will no longer be able to track the physical location of your IP address or what you have been looking at online…and neither will any interested organizations that may want to monitor someone’s Internet activity—meaning law enforcement or government security agencies. TOR is like a proxy on steroids.

TOR has extreme value because it can work with your website browser, remote log-in applications and even with instant-messaging software. TOR is registered as a nonprofit company, so they run mainly on donations and reliance on the hope that people will become a relay to their network.

What is the Deep and Dark Web and why do you need TOR?

TOR is essential to accessing the dark web. The dark web refers to sites that are not indexed and only accessible via specialized web browsers. Significantly smaller than the tiny surface web, the dark web is considered a part of the deep web. Using our ocean and iceberg visuals, the dark web would be the bottom tip of the submerged iceberg. The dark web, however, is a very concealed portion of the deep web that few will ever interact with or even see. In other words, the deep web covers everything under the surface that's still accessible with the right software, including the dark web.

• Breaking down the construction of the dark web reveals a few key layers that make it an anonymous haven:

• No webpage indexing by surface web search engines. Google and other popular search tools cannot discover or display results for pages within the dark web. “Virtual traffic tunnels” via a randomized network infrastructure.

• Inaccessible by traditional browsers due to its unique registry operator. Also, it's further hidden by various network security measures like firewalls and encryption.

• The reputation of the dark web has often been linked to criminal intent or illegal content.

How does ransomware work?

Hackers use TOR to access organization systems to deploy ransomware, so what is ransomware you ask?

Ransomware uses asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server.

The attacker makes the private key available to the victim only after the ransom is paid, though as seen in recent ransomware campaigns, that is not always the case. Without access to the private key, it is nearly impossible to decrypt the files that are being held for ransom. Many variations of ransomware exist. Often ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector to establish its presence on an endpoint. After presence is established, malware stays on the system until its task is accomplished.

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations. Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they will be lost forever. If a data backup is unavailable or those backups were themselves encrypted, the victim is faced with paying the ransom to recover personal files. 

What can you do about this? 

There are many steps you can take as an individual or an organization to reduce the threat of ransomware exploiting your assets.  

·         Exercise extreme awareness to spot a phishing or other social engineering attempts

·         Harden your devices with Anti Malware, Intrusion Prevention, Firewalls and regular patching

·         Backup all important data to an external source in combination with MFA

·         Utilize MFA on all applications that are critical

·         Perform Vulnerability and Penetration testing to identify weaknesses in your assets

 Need help with implementing the above recommendations? Want more information? Reach out to the experts at CyberSecOp and take a proactive step to preventing Ransomware and other types of malware from infecting you.