The saga continues for the ownership of endpoints. Organisations purchase them, manage them, update, support, and protect them. However, the bad actors “own” them all the time. In the last half of 2017, cryptojacking became popularised. This led to a predictable shift from cyber criminals not only cryptojacking, but also installing malware with the sole purpose of using an endpoint that isn’t theirs to mine cryptocurrency. It’s a smart strategy if you’re a cyber criminal. Why try and ransom someone’s system and wait for them to pay you when you can print money?
There are a number of ways to use cryptojacking to take control of an endpoint, but one of the more pervasive models comes in the form of a script created by CoinHive. Think of the normal web-based marketing model: it serves ads on webpages to generate revenue for the site and drive customers to whomever the advertiser wants. This model has helped fuel the growth of the Internet. What CoinHive did was change that model. Instead of serving ads while users watch content or visit websites, the script would run and use the user’s browser as a cryptocurrency miner. In fact, this presents an upside as it allows people who opt in to donate to charities by monetising their CPU. Think of this as a newer version of SETI @home with a reward mechanism built in.
The problem begins to emerge when one considers how easy it is to inject malicious code into websites. Cyber criminals quickly started using these types of scripts and piggybacked on existing injection techniques. They have exploited legitimate websites as well as malicious ones. The problem became so pervasive that it started to damage people’s mobile devices.
Cryptomining malware grew from there. In January 2018, researchers identified 250 unique pieces of cryptomining malware alone. As with any other profitable malware model, cyber criminals will continue to innovate, obfuscate, and try and evade existing endpoint prevention capabilities. The problem will persist until the model no longer becomes profitable.
Let’s take a step back to understand why this issue is becoming so prevalent. Carbon Black’s latest threat report illustrated the ransomware market exploding to become a $5 billion U.S. market. Ransomware is and will remain highly profitable, especially as cybercriminals reap the following:
- They can leverage information on previous ransom or attack campaigns and use this technique to “hit” targets multiple times in the hopes of driving a higher success rate.
- Diversification is critical for any profitable business. Like any other venture, cyber criminals want to diversify their sources of income.
- It’s easy, it’s fast, and it’s effective.
- You get to actually “print” money, and that’s incentive enough for most cyber criminals.
That being said, criminals also face the following setbacks:
- Setting up a cryptocurrency wallet takes time, and so most companies don’t have one. This means the criminal must wait for payment instead of seeing an instant profit.
- Exchange fees apply to all transactions.
As long as there is a profit, the cyber criminals will continue to use ransomware and cryptomining malware as an avenue of attack. I would expect to see the same innovation and evasion that we have seen from ransomware continue to evolve this next form of extortion.
Stopping this form of malware requires the same approach we’ve always taken to stop other pieces of malware. The intention of cryptomining malware may be different, but prevention, detection, and response remain the same.
The fact is that even Nation States are using ransomware and cryptomining malware to bypass current sanctions and diversify portfolios. Calling for a cryptocurrency “ban” won’t help us deal with this problem today. Cyber criminals will use the easiest methods they can to generate income, and this is just one more example of them doing what they have always done. Defenders must do what we have always done and adapt.