An ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment on a site that promotes sensual massage, the.
The attack was carried out by a more recent ransomware company, known as Ever101, which broke into an Israeli "computer farm" and proceeded to encrypt its devices.
A new report by Israeli cybersecurity companies Profero and Security Joes states that the Ever101 is believed to be a variant of the ransomware Everbe or Paymen45.
When encrypting files, ransomware will attach the .ever101 extension and display a ransom note with! = READMY = !. txt in each folder on the computer.
While searching one of the infected machines, investigators found a "Music" folder containing various tools used during the attack, providing information on the threat agent's tactics, techniques and procedures. Interestingly, some of the files shared by the attackers, such as WinRar, were found in Arabic.
Of particular interest is what the researchers found after using CipherTrace to track ransom payments as it flows through different bitcoin wallets.
Locating the payment, they found that a small portion of the ransom (0,01378880 BTC or about $ 590) was sent to a "Tip Jar" on the RubRatings website.
RubRatings is a site that allows "massage providers" in the US to advertise their services, many of which offer sensual massage.
Each masseur profile includes a Tip Jar button that allows customers to leave a bitcoin tip for their recent massage.
Investigators believe part of the ransom payments went to an Ever101 agent on USA, who then used the coins to tip a masseur, or more likely, to use the site as a way to launder ransom payments.
As bitcoin is easily detected by law enforcement, ransomware companies are looking for new approaches to launder their illicit profits.
So it is possible that the threatening agents created a fake account in RubRatings and used the Tip Jar function as a way to clear the ransom.
Source of information: bleepingcomputer.com