Cryptojacking Outpaces Ransomware Attacks
Print Issue: June 2019
Their goal is to infiltrate without being noticed. To attach themselves to their host and deplete some, but not all, of its resources. And to grow until detection is no longer avoidable and the host is no longer needed.
Like a parasite, cryptojackers use the resources of their hosts’ computers and Internet of Things (IoT) devices to mine for cryptocurrency while evading detection. And what started out as a small vector of attack has quickly grown into an epidemic in the last year.
In its annual Threat Intelligence Index released in February, IBM’s X-Force found that cryptojacking attacks increased 450 percent while ransomware attacks declined by about 45 percent.
“Criminals are increasingly leveraging coin-mining malware over ransomware, installing miners on victim endpoints and enslaving them, thus slowly generating coins for the attacker,” according to the report.
“That was surprising coming off WannaCry and NotPetya, and the other large ransomware trends,” says John Kuhn, senior threat researcher at X-Force Iris, the research and incident response arm of IBM. “The reason behind the decline in ransomware—I think—is that people are not falling victim to it anymore.”
Ransomware is intrusive and obvious to targets. Its goal is to get victims to pay cryptocurrency to the perpetrators, so they make a profit. But more people are aware of ransomware and are skeptical that they will get their data back if they pay. Antivirus companies are also getting better at detecting and preventing attacks, Kuhn adds.
Ransomware is still around, “but overall I don’t think it was making that much money for them, so they switched over to cryptojacking or cryptomining malware,” he says.
Just like miners are needed to obtain the metals used to create physical currencies, they are also needed to find cryptocurrencies and validate transactions made using them. The difficulty in mining depends on the type of cryptocurrency. Bitcoin is the most complicated, requiring computers to solve complex math problems to produce a new piece of currency.
Cryptomining requires a great deal of computing power and is most profitable when done on a large scale, said Ayse Kaya Firat, head of analytics and customer insights at Cisco, in a presentation at the RSA Conference in March.
To lower their costs, some criminals are engaging in cryptojacking—using a cryptocurrency miner on an individual’s device without the owner’s knowledge or consent.
“This operation taxes the device’s central processing unit or graphics processing unit, is costly in terms of electric power, and can cause damage to devices as they overheat,” according to the X-Force report.
Attack actors typically use two methods to engage in cryptojacking. The first method is via a website that an individual might visit via using an Internet browser. Attackers tend to target websites that an individual would visit for a lengthy period of time, such as news websites or video hosting sites.
“You go to a website, there are some scripts that connect out and then connect back to your browser, and they force the browser to start mining Monero or another cryptocurrency without your knowledge or permission,” Kuhn says.
The only sign that this script is running on the computer would likely be that the central processing unit (CPU) fan would kick up because the CPU is working overtime to mine cryptocurrency while the individual is using the device.
“Or your machine might get really slow—it all happens on the backend,” Kuhn adds. “And essentially when you close the browser out, the whole process stops.”
The other method is to install cryptomining malware on an individual’s device, which is how roughly 50 percent of miners were conducting cryptomining in 2018, Firat said. This malware takes over the CPU to mine for cryptocurrency, even when a user is not actively using the device.
“These are the more troubling ones because you’re not sitting at your computer and you don’t notice the sluggishness, the fans kicking up, or anything else,” Kuhn explains.
Another sign that cryptomining might be underway is a spike in electric bills. In a 2018 report, Morgan Stanley said global power demand from cryptocurrency mining was at about 22 terawatt hours but could surge to between 125 and 140 terawatt hours by the end of the year—approximately 0.6 percent of world consumption and the same as the entire electrical consumption of Argentina in an average year.
“In the short term, cryptocurrency power consumption is a small percentage of global power usage so we don’t anticipate it will impact utility valuations in the near- to medium-term,” said Nicholas Ashworth, cohead of European Utilities Research at Morgan Stanley, in a statement on the report. “But over time the energy consumption of cryptocurrencies and blockchain technologies will likely become a hot topic for the utility sector.”
Another troubling trend that’s beginning to emerge is cryptojacking campaigns that use Internet of Things (IoT) devices, such as routers and cameras. Similar to how attackers compromised millions of IoT devices in the Mirai botnet attack (see “Rise of the IoT Botnets,” Security Management, February 2017), actors will “exploit a vulnerability inside these devices and make them start to mine cryptocurrency,” Kuhn says.
This is especially problematic because IoT devices traditionally use default passwords or weak passwords, have low built-in security, and are not regularly patched, says Coleman Wolf, CPP, CISSP, senior security consultant at Environmental Systems Design and a member of the ASIS International IT Security Council.
“I do regular presentations, and one of the points I always drive home is these IoT devices might not look like it, but under the hood they’re computers,” Wolf says. “They may not be as powerful as a desktop or a server, but like any other computer they can be exploited.”
And like computers, it may be difficult to tell if an IoT device is being used for cryptomining. Often, the most obvious sign is if the device stops functioning.
“A lot of these routers and cameras are not designed to run at full CPU tilt that these miners do,” Kuhn says. “So, a lot of times they just fail or stop functioning, and that’s a big sign that something might be going on.”
To proactively identify if an IoT device is being used for cryptomining, Wolf recommends that end users change default passwords on their devices, regularly patch, and conduct regular network scanning.
“I don’t want to get people paranoid if their security camera does something buggy and immediately make them think it’s been hacked, but that’s one way to be suspicious,” he explains. “If power, speed, or effectiveness of the device changes unexpectedly, that could be a sign that it’s been compromised.”
However, attack actors will likely be cautious about causing the device to fail entirely because they want to continue using it for cryptomining.
“It doesn’t work to the miners’ advantage to kill the system, to kill their host, or have people unplug the device because it’s not working,” Wolf says.
And while the threat actors are not using cryptojacking to inflict harm on the host, the activity does pose a security threat because it offers a foothold into the system for additional activity.
“If they were able to slip this cryptojacking malware in, there’s a large chance that they’re going to slip in something like a banking Trojan, an information stealing Trojan, or one of those file list type malwares using Powershell that are far more dangerous than something like a cryptojacking malware,” Kuhn adds.