Well, for cybercriminals getting away with the ransom is not very simple. It's equally important for cyber criminals to stay hidden and cover their tracks. Otherwise, they have a good chance of getting caught by security agencies. Criminals are more exposed to risk at the time of collecting the ransom. Being anonymous is important.

Fortunately for the ransomware authors, they don't need to solve the problem of being anonymous. Solutions such as The Onion Router (TOR) and Invisible Internet Project (I2P) are already available for their rescue. Both the solutions are meant to maintain anonymity. While TOR is also used for legitimate purpose, I2P is more inclined to the dark web.

Routing is a term in computer networking where data is transferred from sender to receiver via intermediate computers called routers. The sender and receiver are not directly connected. In traditional routing (IP routing), the intermediate routers know the identity of both the sender and receiver. TOR implements a concept called Onion Routing while I2P implements garlic routing. In both the cases, intermediate routers don't have the knowledge of both the sender and receiver. This maintains the anonymity of TOR and I2P. We won't dig too much into the internals of TOR and I2P, but I2P is the first preference for hackers and is meant for dark practices on the web. A user can browse the internet using a TOR browser to maintain his anonymity. Malware can also use TOR clients for the same purpose.

A lot of ransomware instructs that payments should be made using a URL that is usually a .onion domain. The following is one ransom note from the GOLDENEYE PETYA ransomware. Such domains can only be accessed by a TOR browser. So the victim makes a payment on the .onion domain, and both the victim and the hacker remain hidden to other people: