Security News > 2021 > June > Mysterious ransomware payment traced to a sensual massage site
A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages.
"During our investigation of the infected machines, we came across what seemed to be a treasure trove of information stored in the Music folder. It consisted of the ransomware binary itself, along with several other files-some encrypted, some not-that we believe the threat actors used to gather intelligence and propagate through the network," explains Profero's and Security Joe's report.
Of particular interest is what the researchers discovered after they used CipherTrace to track the ransom payment as it flowed through different bitcoin wallets.
Each masseuse profile includes a Tip Jar button that allows customers to leave a bitcoin tip for their recent massage.
The researchers believe that some of the ransom payment went to an Ever101 operative in the USA, who then used the coins to tip a masseuse, or more likely, use the site as a way to launder the ransom payment.
"The second possibility is that the provider on the site was used as another method of obfuscating the bitcoin movement," the researchers explain.