Video: Cybercriminals switching from ransomware to mining malware attacks
Cyber-crooks are always looking for new means of making money and, for much of the last two years, ransomware was the cyber-attack of choice for those looking to quickly make money.
Recently, however, attackers have been leaving ransomware behind and are increasingly embracing a new form of making money from the internet: cryptocurrency mining.
Like many others, cybercriminals have recognised the potential riches that could await using the processing power of computers to mine for cryptocurrencies such as bitcoin and Monero, especially following the bitcoin boom of late last year.
However, rather than spending money on specialist systems to legitimately mine cryptocurrency, criminals are turning to cryptojacking malware to do the work for them.
The idea is simple: unwitting victims have their computer or smartphone infected with malware, which uses the CPU power of the device to mine currency, with the profits being directed back into the wallet of the attacker.
Aside from heavy use of the PC fan and driving up the energy cost of using the computer, cryptojacking doesn’t make itself obvious, if it’s not pushed too far, as the average victim isn’t likely to worry too much their computer being a bit noisier than usual.
“Criminals act like a business. They’ll have a business model for making as much money as they can with as little risk as possible — and cryptocurrency mining represents a good return on investment and a low risk way of doing it,” Mike McLellan, senior security researcher at the SecureWorks Counter Threat Unit, told ZDNet.
That cryptojacking doesn’t require interaction with victims the way ransomware does offers a number of benefits to the crooks: it leaves the user unaware their machine is infected with malware, meaning rather than providing payment in one quick hit like ransomware, the operation can be sustained for a long period of time.
It also doesn’t matter where in the world the victim is, allowing attackers to profit from virtually anyone — opening additional markets of potential targets and fuelling the move towards cryptojacking.
“With a ransomware infection you might get a big pay off, but if you infect a computer in Africa, it’s very unlikely you’re actually going to get a payout from that. In areas of the world where people are less likely to pay ransoms, you might have just ignored those even though they’re ripe for infection,” Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks, told ZDNet.
“But with cryptocurrency mining, it’s completely egalitarian: different systems perform differently at how they mine cryptocurrency, but they can all do it, so they’re all equal targets. That’s an important element of why we’re seeing this transition.”
Cryptojacking is also increasingly attractive to attackers as, not only does it funnel funds directly into the wallets of attackers without the need to interact with the victims, but the anonymous nature of cryptocurrency means that, unlike some other forms of cybercrime, there’s no need for elaborate systems to hide or launder the profits.
“Even when you think of the ease of stealing banking credentials, when you’re dealing with regulated currencies, there are a lot of frameworks you have to work around to get it back into their pockets without it being easily traceable,” Randi Eitzman, senior cyber security analyst at FireEye, told ZDNet.
“Cryptocurrencies offer that advantage to criminals. They don’t have to have the system of money mules to launder the currencies. It’s just running code of a remote machine and collecting profits,” she added.
While the initial profits from cryptocurrency mining aren’t as immediate as ransomware or selling stolen credentials, some of those who’ve focused heavily on this space have made millions of dollars in the last year alone.
The code behind cryptojacking malware is relatively simple and it can be delivered via phishing campaigns, malvertising, compromised websites, or even software downloads. Once on a system, the game is all about not getting caught.
While some attackers have been known to brazenly spin up CPUs to one hundred percent capacity, those campaigns don’t last long because they can cause irreversible damage to the device — and a broken system doesn’t provide any benefit to malicious miners.
It’s why those with serious networks of hijacked machines are tailoring instructions to systems: they spin up the CPU to such an extent that over time they can provide a decent profit, but do so while not running at such high capacity that the operation is uncovered.
“It’s a numbers game: infect as many computers as you can, then keep them infected. You might think just make it 100 percent all of the time and that’s what a lot of attackers do, because they think they’ll earn the most money that way,” said Olson.
“But if you use 100 percent of the CPU, the user is more likely to notice it’s slow and make choices which lose you the mining device. There’s choices attackers need to make the most money over time — they’ve got to think about the most bang for their buck.”
Attackers have a large selection of devices to choose from with servers, computers, and smartphones among the systems known to have fallen victim to cryptocurrency mining.
But, as they’re already successfully infecting devices that people use every day, there’s an obvious next step for attackers to take advantage of, while further decreasing the chance of getting caught: Internet of Things devices.
These connected devices have little power, but with billions in use around the world, often installed and forgotten about — and commonly with little in the way of security — they make a tempting target for cryptojacking.
“It’s a concern that the industry should be aware of — especially when the mining scripts are small, lightweight, and easily configurable,” said Eitzman.
“If they can configure the scripts to use very little processing power for whatever device they’re infected, you could potentially run mining scripts on devices the user may not even notice the increase in power consumption on.”
While these devices have such low processing power that attackers aren’t going to be able to make large amounts of money from them unless they control a vast network, it nonetheless provides an additional avenue for illicit profiteering.
See also: How the new cybercriminals use cryptocurrency to commit cybercrimes [TechRepublic]
More worryingly, an infected IoT device could serve an important purpose, and exploiting these devices could lead to more than just excessive consumption of power.
“It’s going to have unintended consequences. IoT devices are low-powered and don’t have high-end CPUs, but they do serve functions. If you were to max out their CPU, they might not be able to respond, control the lightbulbs, cameras, whatever it might be,” said Olson.
At the opposite end of the scale to small IoT machines, there’s another potentially lucrative target for attackers to exploit, although it would take additional time and resources to compromise: public cloud servers.
“Right now, if someone were to steal credentials for my cloud provider, if they wanted to they could spin up many virtual machines for mining cryptocurrency for them, and I may not notice until I get a huge bill at the end of the month,” said Olson.
This kind of attack would be a shorter-term affair than most cryptomining attacks, but even if an attacker can exploit a large server farm for just a few weeks, it would be an appealing prospect for those who have the skills.
“Those are going to be shorter-term infections, because people will realise the miners exist, but you could make a pretty significant amount of money by taking advantage of those extremely powerful machines for a short period of time,” Olson added.
There’s another potential tool which could make the arsenal of cryptojackers even more powerful: EternalBlue, the leaked SMB exploit which helped make WannaCry ransomware so powerful. The exploit’s worm-like capabilities allowed it to quickly spread to networks around the globe.
In the case of WannaCry, the ransom note made it obvious a machine had been compromised. However, if something like EternalBlue was used in conjunction with a cryptojacker, it could become a potent tool for the attackers — especially given how the worm spreads without user interaction.
“With cryptocurrency miners, the victim doesn’t need to be complicit in it at all — it can be happening without them even knowing,” said McLellan.
“Anything where the criminals can get this onto machines which doesn’t require victims to click on a link or open an attachment is powerful, because the longer they remain undetected, the more money they make and the bigger they can make this network of mining hosts”.
Indeed, such attacks have already been seen in the wild, although don’t have the same reach as WannaCry.
These are just some of examples of where malicious cryptocurrency mining could go. If the history of cybercrime is anything to go by, crooks will look for any potential avenue they can exploit in the distribution and operation of cryptojacking.
“We’re definitely just getting started in this space. We’re going to see a lot more innovation and means of collecting cryptocurrencies. We’re going to see a lot more innovation come out of the cybercrime side as the protocols develop and change,” said Eitzman.
Indeed, one technique that’s already been spotted in the wild is cryptojacking malware that removes previously installed malicious miners from systems — it’s indicative of how this particular battleground is hotting up.
Nonetheless, despite the rise of cryptocurrency mining, there have only been a handful of arrests relating to it. For now, it could be argued that it isn’t viewed as big priority for the authorities when compared with more damaging cybercriminal campaigns such a trojans, wipers, and ransomware — and that in itself is attractive to wannabe attackers.
“Generally speaking, law enforcement attention hasn’t been focused on mining operations. That’s a contributing factor to actors carrying out these campaigns, because there’s not a lot of action against individuals conducting these,” Kimberly Goody, senior threat intelligence analyst at FireEye, told ZDNet.
“If the risk of arrest becomes higher, it might detract actors, but for the time being the risk isn’t there, so it will continue to increase throughout the year,” she added.
Despite cryptocurrency mining becoming more widespread, there are some simple procedures that can go a long way to protecting networks from it.
Some cryptojacking variants rely on the exploitation of old vulnerabilities, so ensuring that patches have been installed is a good first step towards protecting against these attacks. Basic email security hygiene can also help to protect users from attacks.
However, even in the event that a system does become infected, the often basic nature of mining malware means it is relatively simple for system administrators to remove.
“While it’s an obvious threat that the industry is facing and it’s prolific and growing, at the same time blocking malicious miner traffic is something that’s easily done by simply looking for the protocol on your network traffic,” said Eitzman.
“The protocol is unique, all of the traffic is in plain text and it’s as simple as looking for certain patterns and protocols running on your network and taking the steps to remove it,” she added.
For the time being, malicious cryptocurrency mining remains a threat. However, should cryptocurrency values suddenly fall off a cliff, attackers could once again look elsewhere for means of means of illegally making a profit.
“What will be interesting will be to see at what point it becomes no longer economically viable for criminals to use cryptocurrency mining as a way of making money. A lot depends on how the market performs and if the bubble bursts — maybe that will cause a drop off,” said McLellan. “But for now it’s becoming the new normal.”
Recent and related coverage
Android malware is so processor-intensive it made the battery bulge out.
Cryptocurrency mining malware has emerged as a key method of criminal hackers making money — so why aren’t they targeting the most valuable blockchain-based currency of them all?
The Smominru miner has infected at least half a million machines — mostly consisting of Windows servers — and spreads using the EternalBlue exploit.