Ransomware’s Achille’s Heel

This is a post series on cybercrime. For more posts click here or the cybercrime tag below.

Apparently the French police have realized the vulnerability of ransomware,  the fact that the extortionists have to communicate with their victims and since the French do not have the vested interest in maintaining the TOR network they went for the actual TOR hardware.

WannaCry communicates with a command and control server hosted on the Dark Web, on a .onion address. Aeris suspects his servers were used as first hops in this connection, hence the reason police seized his property, hosted via French hosting provider Online SAS.

Most Tor servers are configured to log very few details, such as uptime and status metrics, so to safeguard the privacy of its users. Unless Aeris made customizations to default configs, French police have no chance of finding any useful information on the seized servers.

Tens of Tor servers disappeared on the same weekend

In the media storm caused by the wave of WannaCry attacks, this small incident went unreported outside of French media. Aeris also confirmed the seizing of his servers on Twitter.

The investigation is led by France’s cyber-crime investigation unit OCLCTIC (L’Office Central de Lutte contre la Criminalité liée aux Technologies de l’Information et de la Communication).

The activist pointed out that tens of other Tor nodes in France disappeared over the same weekend. In a private conversation with Bleeping Computer, the activist shared a list of 30 servers he is currently investigating regarding these mysterious disappearances.


As the Bleeping Computer article pointed out, seizing the hardware isn’t going to do the French much good once the servers are cut from the TOR network.  On the other hand, with 30 odd nodes gone just in France, and the possibility that the French could go after other nodes in the EU, it could be that the TOR network in the EU will be essentially shut down.


The people at TOR have taken a “we’re not responsible” take on ransomware and attempted to hide behind common carrier laws to prevent the decriminalization and exposure of the people using the network for criminal means.  It may be that the Wannacry attack was the last straw for many law enforcement agencies.

For anybody wanting to know how to catch people on TOR.

Here’s the week in ransomware.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s