Sunday, 21 February 2016

Curiouser & Curiouser: Tor Hidden Services Rollercoaster Continues

In the last couple of blog posts I've been talking about some unusual (possibly unprecedented) increases in the number of unique .onion addresses on the Tor network.  I've still seen no convincing argument as to what is causing these changes. The two primary candidates are a) a new form of instant messenger, and b) malware, possibly Locky.

However, changes of all kinds are interesting, and so I was fascinated to see that no sooner had I been talking about the number if unique .onion addresses shooting up (and it was reported more widely) than their number began to fall, almost as quickly.  I wonder if this tells us any more about what is causing these remarkable variations:



I revisited the reporting that Tor conducts, and from which the figures are drawn. It doesn't matter what form of mean or median you calculate the trend in unique .onion addresses appear the same: rapidly up then sudden decline.

There has been a levelling off and a small drop in the number of Tor relays reporting hidden services statistics (plotted above with the trend in unique .onion addresses)  but I can't see any obvious correlation, and, unless a few relays were seeing a disproportionately large of hidden services, the method of gathering the statistics would remain sound ie it doesn't look like a reporting error.  But, I've learned never to say never so whilst unlikely, it is not impossible.

If the increase had been due to the new anonymous messenger, Richochet, I don't see why users would remove their addresses.  It may be that these addresses have simply become inactive.  Maybe the have gone offline pro tem.  Why remains an open question if that is the case.

If the increase were due to Locky why would it remove these addresses?  The analysis of Locky so far has not confirmed that it creates unique .onion addresses.  If that proves to be the case this would suggest that it is also somehow cleaning up after itself.  Perhaps victims are paying up and as soon as they do so the addresses are removed to cover the criminals tracks.  If that is the case then this suggests a depressingly large proportion of victims are paying up, but that would be consistent with what surveys tell us about how victims respond the ransomware: 40%+ admit to paying up.

Whatever is happening it is damned strange but I cant help but be fascinated to try to work out what lies behind these recent changes.