A Tor proxy service is being used by crooks to divert ransom payments Attack.Ransom to their own accounts at the expense of ransomware distributors -- and their victims , according to security researchers . Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals , who are hijacking the ransom payments Attack.Ransom before they 're received and redirecting them into their own bitcoin wallets . But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft , they are also preventing ransomware victims from unlocking their encrypted files -- because , as far as those distributing the malware are concerned , they never received their ransom payment Attack.Ransom . Uncovered by researchers at Proofpoint , it 's believed to be the first scheme of its kind , with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments , which victims of ransomware are attempting to send Attack.Ransom to their attackers . The attacks take advantage of the way ransomware distributors request Attack.Ransom victims to use Tor to buy the cryptocurrency they need to make the ransom payment Attack.Ransom . While many ransomware notes provide instructions on how to download and run the Tor browser , others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of paying Attack.Ransom is as simple as possible for the victim . However , one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy , and redirecting the payment Attack.Ransom into other accounts , rather than those of the ransomware attacker . Meanwhile , those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts , thus making it harder for proxies to find the address to change . While the sums of bitcoin stolen do n't represent a spectacular haul , the interception attacks do create problems for ransomware distributors -- and their victims . The victims are the ultimate losers in this scenario . Not only are they paying Attack.Ransom hundreds or even thousands of dollars to in ransom demands Attack.Ransom , they 're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors do n't think they 've been paid Attack.Ransom .