Days after WannaCry ransomware broke in over a hundred countries, the French police discovered a server running TOR relays that belonged to an activist, Aeris. The police said these servers were seized due to a “connection” to the WannaCry ransomware.
The French activist highlighted the incident on the Tor Project’s mailing list. There, he stated that users shouldn’t trust the specific relays; that were also special servers credited by the TOR clients as a gateway when entering the TOR environment.
The statement also mentioned how his servers were seized after a major business was infected by WannaCry. The infected organisation logged all outbound traffic during the attack and provided the information to the police.
WannaCry ransomware operates via a command and control server that masks itself using the TOR system. Aeris believes that his servers were used as a door to use the TOR servers.
Many TOR servers are designed to only log minimal information such as status information and uptime. Unless Aeris altered the settings on his machines, the French police have nothing to extract from his servers.
The media was full of news related to the WannaCry ransomware, but this incident was only reported by the local media. The French rebel also tweeted about his property being seized by the local authorities.
The L’Office Central de Lutte Contre la Criminalité liée aux Technologies de l’Information et de la Communication (OCLCTIC) is the French cybercrime investigation unit working on this case.
Aeris believes there is more to the investigation, believing other TOR servers in France went offline before the incident. The activist also provided a list of servers that he is investigating.
Currently it isn’t confirmed as to how many servers were involved in the WannaCry ransomware. There is very little information about these events, and those in question are reluctant to share information related to the TOR servers.