A Tor proxy service is being used by crooks to divert ransom payments Attack.Ransom to their own accounts at the expense of ransomware distributors -- and their victims , according to security researchers . Ransomware distributors expecting an easy payday are having their illicit earnings stolen by other cybercriminals , who are hijacking the ransom payments Attack.Ransom before they 're received and redirecting them into their own bitcoin wallets . But not only are the attacks giving criminals a taste of their own medicine in becoming victims of cyber-theft , they are also preventing ransomware victims from unlocking their encrypted files -- because , as far as those distributing the malware are concerned , they never received their ransom payment Attack.Ransom . Uncovered by researchers at Proofpoint , it 's believed to be the first scheme of its kind , with cybercriminals using a Tor proxy browser to carry out man-in-the-middle attacks to steal the cryptocurrency payments , which victims of ransomware are attempting to send Attack.Ransom to their attackers . The attacks take advantage of the way ransomware distributors request Attack.Ransom victims to use Tor to buy the cryptocurrency they need to make the ransom payment Attack.Ransom . While many ransomware notes provide instructions on how to download and run the Tor browser , others provide links to a Tor proxy -- regular websites that translate Tor traffic into normal web traffic -- so the process of paying Attack.Ransom is as simple as possible for the victim . However , one of the Tor gateways being used is altering bitcoin wallet addresses in the proxy , and redirecting the payment Attack.Ransom into other accounts , rather than those of the ransomware attacker . Meanwhile , those behind Magniber ransomware appear to have moved to combat bitcoin address replacement by splitting the HTML source code of wallets into four parts , thus making it harder for proxies to find the address to change . While the sums of bitcoin stolen do n't represent a spectacular haul , the interception attacks do create problems for ransomware distributors -- and their victims . The victims are the ultimate losers in this scenario . Not only are they paying Attack.Ransom hundreds or even thousands of dollars to in ransom demands Attack.Ransom , they 're not even getting their files back in return because the man-in-the-middle attacks mean the ransomware distributors do n't think they 've been paid Attack.Ransom .

This Locky spam dip has been seen by multiple observers , such as security firms Avast and Check Point , and security researchers Kevin Beaumont , MalwareTech , MalwareHunterTeam , and others . According to Check Point , who recently released a report on December 's most active malware families , Locky spam numbers have gone down 81 % . Previously , in October , Locky had been ranked as the top malware threat in the world , while now , in December , Locky is not even in the top 10 anymore . The same thing can also be seen in a chart released by Avast . Even if the chart does n't cover the last ten days , Locky spam numbers have remained at the same low levels as during the holidays . The only tiny trail of activity in the chart above is the Locky ransomware delivered as a second-stage download for Kovter campaigns . Kovter is a click-fraud malware that infects computers and clicks on invisible ads on the user 's behalf . This malware has been around for years , and recently , it started distributing a wide range of secondary payloads . In January 2016 , Kovter downloaded and installed a proxy client on infected PCs , transforming infected hosts into proxy servers for the ProxyGate web proxy service . This allowed the Kovter gang to make a side profit by routing web traffic through infected PCs , while also earning money from its main activity : click-fraud . In the same month , Kovter also started distributing a version of the Nemucod ransomware , for which Fabian Wosar of Emsisoft had successfully created a decrypter . Disheartened by Wosar 's success , the group behind Kovter switched to several ransomware variants in the following months , and eventually settled on renting and distributing Locky starting with October , as part of an affiliate scheme , splitting the ransom payments Attack.Ransom with the Locky crew . Researchers looking at Locky infections can easily track Locky infections distributed by the Kovter group by the affiliate IDs 23 and 24 , found in Locky 's configuration file , present on every infected system . PhishMe researchers have recently published a blog post detailing the Kovter spam emails that has been distributing Locky ransomware in the past weeks . At the moment , these spam emails are the only source of Locky infections . Previously , most of the spam emails distributing Locky came Attack.Phishing from the spam sent out via Necurs , a botnet of PCs infected with the Necurs bootkit . The Necurs botnet is the same botnet responsible for the distribution of the Dridex banking trojan , one of the most advanced banking trojans known today .