1  What Is Deep Web?

The deep web, which is in comparison to the Internet accessible to the public, is a part of the Internet that is inaccessible to conventional search engines. The Onion Router (Tor) is the most popular means to access the deep web.

The Tor network is connected by computers installed with Tor software. The Tor network structure is similar to an onion. It can only be seen from outside, and must be stripped layer by layer before the core is seen. On the Tor network, the transmission between routers is encrypted by the point-to-point symmetric key to form a hierarchical structure.

2  Why Can the Deep Web Be Anonymous and Untraceable?

Assume that a user wants to browse the Google home page anonymously. On the Tor network, the user's computer will randomly send the web request that is encrypted in several layers to another computer installed with Tor (this computer is called guard). After stripping off the first encryption layer, the guard continues to randomly forward the request to another computer, which then removes another encryption layer and forwards the request. This process continues.

The last computer in the chain is called the exit node. After the exit node removes the last encryption layer, the real destination address (that is, the address of the Google home page) of the request is seen. In this access process, the first computer knows the network address of the sender, and the exit node knows the network address of the destination site, but no computer in the chain knows the complete information. The layer-by-layer encryption routing scheme is Tor.

When Tor is used to create a private network path, the user software or client establishes a circuit formed by several encrypted connections through the relay on the network. The circuit is extended hop by hop, and the relay on the circuit only knows the previous relay from which the data is received and the destination relay of the data to be sent. No separate relay knows the complete path of the data packet. The client and each hop on the circuit negotiate a set of independent keys to prevent data from being traced on any hop.

3 How Does the WannaCrypt Ransomware Worm Use Tor to Elude Tracing?

Let's see how the criminals behind WannaCrypt use Tor to hide themselves.

According to the analysis, WannaCrypt releases the executable program named tasksche.exe in C:\windows (Windows 7) after it is executed. The program is a ransomware program that encrypts disk files. After the program is executed, a ransomware interface appears.

In the sample release file list, there are lots of files and folders whose extension name is wnry. In the TaskData directory, a Tor-related client program is found.

This program is used to communicate with the server on the deep web. The configuration list of the communication server is in c.wnry. 

The following table lists the deep web servers:

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

So what is the role of the deep web servers in this WannaCrypt incident? We find that if you click the Decrypt button on the ransomware interface, only a few files can be decrypted.

The analysis shows that WannaCrypt stores a decryption key locally, but the key can only decrypt a small quantity of files. If you want to decrypt all the files, pay for the private decryption key. The analysis shows that the paid private key is delivered by the server on the Tor network. The servers mentioned earlier are the ones hidden on the deep web to deliver the private decryption key.

The WannaCrypt decryption process is as follows:

The following figure shows some packets for the ransomware to communicate with the deep web server, which are intercepted after CheckPayment is clicked. It can be seen that the server is gx7ekbenv2riucmf.onion.

It is shown that the key server plays a very important role in the ransomware incident. To avoid tracing and cracking, the criminals deploy the server on the deep web and use the Tor client to communicate with the server.

4 What Else Can Tor Do For Cybercrime?

Tor can be exploited to construct botnets.

Botnet operators can deploy C&C services on the Tor network to hide C&C servers. Such botnets insert Tor component programs into malicious programs in transit. Infected zombie hosts communicate with the C&C servers through Tor. Hackers control the zombie hosts through the C&C servers on the Tor network.

When a botnet is constructed using Tor, it is difficult to trace and expose the controllers' identities. Moreover, the C&C servers are not exposed, eliminating the risk of being shut down.

Tor can be used by ransomware.

Ransomware is classified into crypto-ransomware and locking-ransomware. Crypto-ransomware renders user data inaccessible by employing cryptography against user files, disks, and databases on the victim devices. Locking-ransomware maliciously alters passwords on the victim devices to keep users from accessing resources on the devices.

Ransomware often uses the Tor network for local control and payment. Local control is similar to botnet situation. Generally, servers are hidden on the Tor network. In ransomware payment, the Tor network is used to provide an address for paying bitcoins. For example, CryptoWall3.0 and PETYA ransomware provides a link address ending with .onion in the ransomware information to inform the user of the transaction address, which is difficult to trace.

Tor can be used for black market.

The Tor network can hide the sender's address information as well as the receiver's server address information. Therefore, the deep web becomes the heaven of the black market, and there are numerous transaction websites on the deep web. You can find anything you want on the deep web. The famous black market website offers an anonymous market named "Silk Road". Although "Silk Road" has been banned, but similar websites still exist on the deep web.