To make the browser show the little lock in the address bar, I suppose?
Granted, that's still kind of pointless because you still have to self-sign, which gives scarier warnings than being unencrypted[0].
A knowledgeable user wouldn't care - they'd know that they installed a Tor gateway that resolves .onion to itself, so they're just as protected as they are on TLS. The catch here is that the ransomware operators are trying to criminally extort less-knowledgeable users and bureaucratic IT staff that are just being told to "run Tor and pay us in Monero to get your files back".
[0] There's nothing preventing these operations from shipping their own browser or root cert - they are, after all, already running on the local machine outside of any sandboxing. No clue if they do this.
Granted, that's still kind of pointless because you still have to self-sign, which gives scarier warnings than being unencrypted[0].
A knowledgeable user wouldn't care - they'd know that they installed a Tor gateway that resolves .onion to itself, so they're just as protected as they are on TLS. The catch here is that the ransomware operators are trying to criminally extort less-knowledgeable users and bureaucratic IT staff that are just being told to "run Tor and pay us in Monero to get your files back".
[0] There's nothing preventing these operations from shipping their own browser or root cert - they are, after all, already running on the local machine outside of any sandboxing. No clue if they do this.