Cryptojacking Displaces Ransomware as Top Malware ThreatCriminals' Quest for Cryptocurrency Continues
Criminals with a penchant for launching online attacks must have thought they had it made when ransomware came along. Forget having to infect PCs with keystroke-monitoring software to steal passwords or use web injections to transfer funds in the background whenever victims logged into their online bank account. Instead, they could just forcibly encrypt many of the files on a victim's PC and demand they pay a ransom in tough-to-trace cryptocurrency.
So it's notable that while ransomware attacks haven't gone away, they have been supplanted by malware that's designed to infect systems and use their CPUs to mine for cryptocurrency.
If 2017 was the year of ransomware innovation, 2018 is already well on its way to being known as the year of cryptocurrency mining malware (see Threat Watch: Ransomware, Cryptocurrency Mining and More).
Numerous studies have found that the most seen malware attacks today are designed for cryptojacking, which involves infecting systems with malicious code that uses CPUs to mine for cryptocurrency. Mining means solving complex computational challenges that verify cryptocurrency system transactions, which adds them to the cryptocurrency's blockchain. In return, miners may receive cryptocurrency back as a reward.
Such attacks are on the rise. "Attackers targeting cryptocurrencies may be moving from ransomware to coin miner malware, which hijacks systems to mine for cryptocurrencies and increase their profits," says Raj Samani, chief scientist at McAfee.
"New coin miner malware jumped an astronomical 1,189 percent" in the first three months of this year," he adds, compared with the last three months of 2017, surging from 400,000 to 2.9 million detected pieces of malware. "This suggests that cybercriminals are warming to the prospect of monetizing infections of user systems without prompting victims to make payments, as is the case with popular ransomware schemes," according to a new report from McAfee.
In the same timeframe, meanwhile, the quantity of new ransomware attacks dropped by 32 percent, he says, "largely as a result of an 81 percent drop in Android lockscreen malware," Samani says.
McAfee's results square with other studies. "Ransomware is rapidly vanishing, and ... cryptocurrency mining is starting to take its place," say researchers at security firm Kaspersky Lab. It says the total number of users who encountered mining malware increased by 44 percent over the past year.
Some organizations appear to be more at risk than others. Security firm Vectra says many mining operations trace to university systems, although it's not always clear if they're malicious.
From August 2017 through January 2018, "as the value of cryptocurrencies like bitcoin, ethereum and monero increased, there was a corresponding uptick in the number of computers on university campuses performing mining or cryptojacked by miners to process cryptocurrency hashes," Vectra reported in March.
Market Volatility and Attacker Behavior
But cryptocurrency market volatility continues and attacker behavior may adjust as a result. In recent weeks, notably, the value of some cryptocurrencies has crashed. The value of a bitcoin last December reached a record peak of $17,600, but on Wednesday, was worth around $6,500 - a decline in value of more than 70 percent. Meanwhile, Dash, after reaching $914 last December, was trading at around $240 on Wednesday, while Monero peaked at $465 in January and was worth about $142 on Wednesday.
If cryptocurrency prices continue to plunge, might attackers desert cryptocurrency mining malware?
McAfee's Samani, referencing statistics published in April, says that as the value of cryptocurrencies rose, so too did mining attacks. "The graph shows an incredibly price sensitive environment with clear correlation between miners and price," Samani tells Information Security Media Group.
Miner Attack Tactics
Attackers typically sneak mining malware onto systems using well-established techniques for distributing malicious code. Typically, miners arrive via malware downloaders, which can install everything from keystroke loggers and distributed denial-of-service attack tools to ransomware and cryptocurrency miners on an endpoint. "However, some small criminal groups try to spread malware by using different social engineering tricks, such as fake lotteries," Kaspersky Lab says. "In these cases, potential victims need to download a random number generator from a file-sharing service, and run this on their PC to participate. It is a simple trick, but a very productive one."
Some attackers are also making use of scripts that run in the browser and infecting legitimate sites to serve the code. Experts say the most often seen code is from Coinhive, a site that maintains a monero script that anyone can use, with the site taking a 30 percent cut of any resulting profits. While the script can be used for legitimate purposes, it's also been tapped by a number of criminals (see Cryptocurrency Miners Exploit Widespread Drupal Flaw).
Another attack technique is to infect enterprise servers with cryptocurrency-mining malware. Last year, for example, attackers targeted the SMB flaw known as EternalBlue to infect servers with Adylkuzz cryptocurrency mining malware. Security experts say that campaign appeared to be run by Lazarus Group, an APT gang that's been tied to the government of North Korea (see Cybercriminals Go Cryptocurrency Crazy: 9 Factors).
Kaspersky Lab says cryptocurrency mining campaigns that successfully infect enterprise servers can be very lucrative, with one gang having used Wannamine malware, which also targets EternalBlue, to earn 9,000 monero, worth about $2 million. Another strain of mining malware, called Winder, has been tied to a botnet that earned $500,000 from mining.
Defenses Against Mining Malware
Security experts say that defending against mining malware requires the same tactics as fending off just about any type of malware.
"Treat email attachments, or messages from people you don't know, with caution. If in doubt, don't open it," Kaspersky Lab recommends.
Other recommendations: Always maintain up-to-date backups, keep all software up to date - so attackers can't exploit known flaws - and run anti-malware software.
For businesses, "carry out regular security audits of your corporate network for anomalies," Kaspersky Lab says. "Don't overlook less obvious targets, such as queue management systems, POS [point-of-sale] terminals and even vending machines. As the miner that relied on the EternalBlue exploit shows, such equipment can also be hijacked to mine cryptocurrency."
Security experts also recommend reporting all cryptomining infections to authorities, to help them gather intelligence that might enable law enforcement agencies trace and shut down these types of operations.
Other Threats: Diminished But Ongoing
While cryptojacking might be grabbing headlines, other threats still remain.
Macro malware attacks have continued to increase, says McAfee, which notes that such malware "usually arrives as a Word or Excel document in a spam email or zipped attachment" and uses "bogus but tempting filenames encourage victims to open the documents, leading to infection." While such attacks may appear simple - in some cases literally instructing victims to enable macro functionality in Microsoft Office, which is disabled by default due to the risk it poses - evidently there are enough individuals falling victim to these attacks to make it worth criminals' time and effort (see Hello! Can You Please Enable Macros?).
Ransomware attacks also remain alive and well. ID Ransomware, a site that allows victims to upload a ransom note or encrypted file to identify the ransomware that crypto-locked them, now counts 603 ransomware families, with names such as AnimusLocker, Aurora and Dharma, as well as GlobeImposter 2.0, RotorCrypt and Scarab. While the site doesn't claim to catalog every known type of ransomware or variant, the sheer scale of ransomware options continues to be alarming.
Ransomware Innovation Continues
"It's still a huge problem ... and the cybercriminals are very much still innovating here," James Lyne, global research adviser at Sophos, tells ISMG (see Ransomware: No Longer Sexy, But Still Devastating).
Lyne says it's easier than ever for would-be cybercriminals to make money from ransomware. As an example, he cites Data Keeper, a site that provides customized ransomware for others to distribute, then gives distributors a cut of any ransom payments made by their victims. That type of ransomware-as-a-service offering - and there are many - makes it "point-and-click easy for people to generate new ransomware," he says.
"Ransomware is never going to go away," Adam Kujawa, director of malware intelligence at security firm Malwarebytes, told ISMG early this year, when he noted that the pace of ransomware innovation was slowing and the prevalence of cryptocurrency mining malware was sharply on the rise (see Ransomware Outlook: 542 Crypto-Lockers and Counting).
Ransomware "is a genius attack," Kujawa said. "It focuses directly on extorting money from the victim, there's no third-party sale that has to be made, there's nothing like that. It's just: 'Hey, you want your files back, give me back money.' It's simple and that's the amazing thing about it."
A number of attacks this year have demonstrated that some cybercrime gangs are continuing to refine their ransomware tactics, including apparently targeting larger organizations rather than consumers.
SamSam ransomware, for example, has been tied to multiple attacks this year, making victims of such organizations as electronic health records provider Allscripts, an unnamed industrial control system company - Bleeping Computer has reported - plus two Indiana hospitals, including Hancock Health, as well as the City of Atlanta, among others (see Atlanta's Ransomware Cleanup Costs Hit $2.6 Million).
Since January, ransomware called Gandcrab displaced Locky as the most prevalent crypto-locking malware in circulation. "Gandcrab uses new criminal methodologies, such as transacting ransom payments through the dash cryptocurrency rather than through bitcoin," according to McAfee (see Crabby Ransomware Nests in Compromised Websites).
So while 2018 seems destined to be the year of cryptojacking, and many other online attack types are down, they're not out.