The use of the Tor browser on corporate networks could lead to security vulnerabilities as targeted "ransomware as a service" attacks increase, according to a report released by IBM.
The quarterly X-Force Threat Intelligence Report also reveals that the use of targeted ransomware is on the rise and that Tor is being used to mask how this malicious software travels through networks.
Tor, also known as the Onion Router, is a network that was set up and is currently partially funded by the US government. It is used by security services, intelligence agencies and whisleblowers to allow safe and anonymous communication. However, the capabilities of Tor mean it is also used for more nefarious purposes.
"The design of routing obfuscation in the Tor network provides illicit actors with additional protection for their anonymity. It can also obscure the physical location from which attacks originate, and it allows attackers to make the attack appear to originate from a specific geography," states the report.
By using Tor, the IBM report highlights how cyber criminals can take advantage of the dark net's service of encrypting communication and location data often used to identify an internet user.
"Tor can serve as a proxy with exit points known as "exit nodes" to allow users to anonymously browse web pages externally to the World Wide Web. This offers moderate anonymity to anyone looking to hide their identity as well as encrypt communication back to their host computer or device."
The report reveals the industry's most likely to come under attack from a Tor-based origin are communications, manufacturing and finance, with communications alone amounting to over 300,000 ‘events' between January and May this year.
The United States is by far the most popular origin of attack with nearly 200,000 ‘events' over the same five month period, followed by the Netherlands (150,000) and Romania (75,0000).
It is this ‘identity masking' offered by Tor that cyber criminals are now using to spread increasingly evolved ransomware which is becoming more targeted, according to the IBM report.
Ransomware attempts to elicit money from computer users by locking them out of their computers and demanding a fee to unlock the system. It comes in many forms, commonly as fake anti-virus updates, and is a lucrative financial avenue for cyber criminals.
The IBM report notes that ransomware has evolved to "ransomware as a service" that is now going after businesses as well.
"So far, the victims have primarily been end users, but as the X-Force team takes a closer look at how ransomware is evolving, we observe that the technical sophistication is increasing as ransomware also begins to specialise, targeting specific communities," says the report.
"As defenses take different approaches, new attack opportunities arise, technology changes, and attack mechanisms - including ransomware - evolve."
"We are observing the start of a prolonged battle with ransomware, as ransomware attacks diversify from simple scams to more elaborate ones that target high-value communities or businesses."
The mixture of the use of Tor and an increase in targeted ransomware attacks could mean Tor users on a corporate network could be vulnerable. As such IBM warns that use of Tor should be limited.
"Corporate networks really have little choice but to block communications to these stealthy networks. The networks contain significant amounts of illegal and malicious activity. Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions."
The IBM report lists a number of recommendations for corporations to prevent the use of Tor on their networks including prohibiting the use of personally owned removable devices, altering the BIOS of computers to boot only to the hard drive and limiting the use of unapproved encrypted proxy services.
The threat from ransomware remains a major problem for web users, with the FBI's Internet Crime Complaint Center (IC3) revealing that the CryptoWall ransomware netted crooks $18m in April this year alone.
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal
Microsoft, Google and Samsung all targeted as Avast admits to the scale of the CCleaner compromise
Not all loose ends tied yet, admits Bain backer SK Hynix