The February 2015 IBM MSS Threat Report article provided quality information about Tor and its functionality. It concluded that it is definitely necessary for businesses to block access to Tor or other similar networks from their corporate networks.
If a user installs a proxy on a corporate machine, it's likely the traffic to the first IP address in the Tor circuit would be encrypted, therefore hiding the traffic. Users could also install another Tor node in the company network in addition to the Tor proxy on the infected host.
TAILS, a live, Linux-based operating system, can be used to boot a machine and connect to the Tor circuit by default, bypassing any local operating system functions. Once TAILS is shut down, no evidence is left on the computer.
Several days ago, a new variant of the popular Zeus banking Trojan, known as Sphinx, appeared for sale on the black market. It has been designed to operate entirely through the Tor network. Sphinx is immune to sinkholing, blacklisting and the ZeuS tracker.
Additional features of Sphinx include (but are not limited to) the ability to intercept certificates when used to establish a secure connection, make money transfers from a victim's computer and redirect users to a phishing site without changing the URL.
IBM ERS detected the use of the Tor circuit to launch powerful password attacks on a customer's website as well as an outbreak of ransomware across the US in 2015. They also uncovered the use of Tor sites to facilitate the Bitcoin payment of ransoms from victims of the outbreak. Ransomware infections on computers were due to “drive-by” infections in which a user accessed an infected webpage and was unaware of being infected with the malware. The infections and remediation lost a lot of money in downtime and missed business opportunities.
Anyone can host a Tor node. If a Tor relay is running on a network, an administrator could be an unwilling organiser of an attack on other networks or within their own networks.