Government of the Republic of Trinidad and Tobago

Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education.

As more and more cybercriminals have jumped on the bandwagon, ransomware as a service and dozens of variations targeting organizations across the globe have practically turned it into a commodity. As it has evolved it has leveraged new delivery channels such as social engineering, new techniques such as multi-stage attacks to evade detection and infect systems, and new methods of payment often involving fledgling cryptocurrencies.

For example, GandCrab ransomware emerged in January with the distinction of being the first ransomware to require Dash cryptocurrency as a payment. According to Europol, it claimed 50,000 victims in less than a month. BlackRuby and SamSam were two other ransomware variants that emerged during the first quarter of 2018, with SamSam achieving special notoriety for taking down the administrative infrastructure of a major US city in March. And a separate ransomware attack, known as Olympic Destroyer, targeted the Winter Olympics just before the opening ceremonies. The U.S. government also announced the discovery of malware variants, known as HARDRAIN and BADCALL, which have been attributed to the North Korean threat team known as HIDDEN COBRA.

Ransomware volume dropped in Q1 of 2018

But in spite of these continued developments threat researchers have begun to notice some recent shifts in the ransomware trend. One measure of the success of malware is the number of organizations it is able to impact. In Q4 of 2017, for example, nine different malware varieties, including ransomware variants, had each managed to infect more than 10% of all organizations. This had been a trend for several quarters. Then suddenly, in Q1 of 2018 the number of threats that managed to crack the ‘1 in 10 organizations infected’ threshold dropped to three, and none of them were ransomware.

This sudden change prompted the obvious question of “what happened?” The short answer is, “cryptojacking happened” as two of the three malware varieties that made the 10% list were cryptojacking malware, an emerging attack vector that has seen truly remarkable growth during the first few months of 2018.

Cryptojacking affects more than 1 in 4 organizations

Cryptojacking malware grew from impacting 13% of all organizations in Q4 of 2017 to 28% of companies in Q1 of 2018, more than doubling its footprint. And the growth of this malware variety has been detected across every region of the globe. It’s rare that a threat bursts onto the scene and moves so quickly to the forefront, but that’s exactly what we’ve witnessed with cryptojacking over the last two quarters. It is also showing incredible diversity for such a relatively new threat. Cryptominers have been documented targeting multiple operating systems, and that mine for a variety of cryptocurrencies.

There also seem to be technical links between the ransomware and cryptojacking criminal communities. For example, ETERNAL BLUE was originally used in the WannaCry ransomware exploit. It has been now repurposed for a cryptojacking campaign called WannaMine. In addition, NotPetya’s use of Mimikatz (a hugely popular credential-stealing tool used for lateral movement) has also been mimicked by recent cryptojacking campaigns. And remember that Apache Struts vulnerability that compromised Equifax last fall? Cryptominers are targeting that as well. Even the recent Drupal vulnerability already been weaponized for cryptojacking.

Of course, ransomware and cryptojacking are fairly similar in terms of how they need to penetrate and spread between systems. But this may be more than just a case of one threat copycatting another. Ransomware has some inherent limitations, such as a poor long-term strategy for leveraging existing victims for additional revenue. Once ransomware hits an organization, criminals usually move on to the next victim.

Another of the challenges ransomware faces is that its high profile. Corporations have seen the economic and reputational impact of such a compromise, and do not want to get caught in a ransomware snare. So IT teams are on high alert to protect their networks, and are adopting a combination of advanced malware detection, network segmentation, patching, and offsite backups to fight back. As a result, more and more organizations are now able to simply refuse to pay a ransom because they can limit the impact of a ransomware attack and quickly restore whichever segment of the network was impacted.

All of which complicates the criminal’s job of maintaining and updating ransomware to stay ahead of existing countermeasures. Like any successful enterprise, many cybercrime organizations understand the maxim, “worker smarter, not harder.”

Cryptojacking is a very different model

Cryptojackers have clearly discovered that, if done properly, leveraging the processing power of a hijacked system to mine for cryptocurrencies can be a potentially long-term profitable venture.

Cryptojacking uses malware (typically via a script loaded into a web browser) to steal unused CPU cycles and use them to perform cryptomining calculations. This can be done either by directly infecting a device with malware, or by indirectly stealing processing cycles when a user visits a compromised website. New cryptojacking variations inject malicious JavaScript into a vulnerable website. Victims who simply browse such an infected site will have their CPU cycles hijacked to perform cryptomining.

Unlike ransomware, the success of this attack vector depends on not being detected. New rate-limiting variations, for example, restrict their cryptojacking malware from ever consuming more than a certain percentage of available CPU, and can even back off when legitimate usage hits a certain threshold. This allows the malware to fly under the radar of users, as it never interrupts normal device operations.

Cryptojackers who manage to develop and maintain a network of hijacked machines and aggregate the results through a central command and control center are able to generate revenue with only a fraction of the attention caused by ransomware. Which is why we expect continued investment and innovation in this criminal business model.

What your organization can do

If you are worried that your systems might be mining for, and lining the pockets of cybercriminals, start by checking the Task Manager (Windows), Activity Monitor (Mac), or “top” on the Linux command line on your connected devices. Collecting and listing the processes running across your network and then cross-referencing them against lists of legitimate software or known cryptojacking malware is one way to identify and address any application that’s surreptitiously consuming resources. The challenge is that many organizations don’t even maintain a current inventory of connected devices, let alone have some way to see what applications are running or how much resources they are consuming. Which is why a centralized management, orchestration, and IoC interface is essential for any security management system or SOC.

This is part of the larger challenge that IT teams face, which is simply finding the time or tools necessary to perform these sorts of basic security hygiene activities. Far too many IT teams today are simply stretched too thin implementing digital transformation projects to focus on new threat vectors. Complicating things further, encrypted data is now nearly 60% of all network traffic, rising another 6% in Q1 of 2018 alone. As cybercriminals increasingly use SSL and TLP encryption to hide malicious code or to exfiltrate data, inspecting encrypted traffic in increasingly crucial. Unfortunately, many legacy threat detection devices and signature-based antivirus tools currently in place don’t have the horsepower necessary to adequately inspect encrypted traffic at this volume without crippling network throughput.

Cybercriminals understand this. Which is part of the reason why they constantly shift tactics, tools, and technologies. Since organizations are unlikely to get a huge increase in budget and resources, they, like their cybercriminal enemies, also need to work smarter rather than harder. What’s needed is an and integrated automated security system that spans the distributed network to see threats and detect malware, including inspecting encrypted traffic at wire speeds, and then make autonomous decisions that can marshal all available resources to respond to those threats in real time. Until that happens, cybercriminals are likely to remain one step ahead in the security arms race.