Skittish ransomware gangs looking for easier paydays help drive the recent uptick in illegal cryptocurrency mining.
(February 7, 2023) Despite a precipitous drop in cryptocurrency values over the past several months, cryptojacking remains a growth industry for malicious actors. Cybersecurity analysts believe some of that growth is being driven by ransomware gangs seeking less-risky revenue streams.
Global cryptojacking volume rose by 30 percent in the first half of 2022, while ransomware attacks have trended downward, according to the 2022 SonicWall Cyber Threat Report. The security firm suggests that increased international law enforcement efforts, including the arrests of several members of the notorious REvil gang, have ransomware gangs looking for an easier payday.
“Cryptojacking is on the rise because it presents a lower risk than ransomware,” said Mark McClelland, co-founder and vice president of Mainstream Technologies. “Ransomware requires that the cyber criminals communicate with the victims and rely on the victims to pay. Cryptojacking operates almost silently in the background, constantly providing a payout for the perpetrators.”
Easy Pickings
Cryptojacking is the unauthorized use of a computer, mobile device, or server to mine cryptocurrencies. Hackers typically gain access to the device by using an email phishing scam to trick someone into clicking a malicious link, which triggers the download of crypto-mining code on the device.
From the criminal’s perspective, it’s a lot easier than ransomware. With cryptojacking, there’s no need to strongarm victims into paying a ransom — every infected computer continuously pays off by mining cryptocurrency. Cryptojacking is also more difficult to detect and trace, and victims aren’t as likely to report incidents. Plus, it requires very little technical skill —cryptojacking kits are available on the dark web for as little as $30.
In fact, crypto miners are now the most common malware threat, with more than 150,000 detected in 2021. In a July report, the Federal Bureau of Investigation said it had identified 244 victims of various crypto-related cybercrimes with an estimated loss of $42.7 million since the beginning of the year.
Another factor contributing to the increase in cryptojacking is the Log4j vulnerability. Within days of the flaw’s discovery, security firms detected hundreds of thousands of attempts to remotely inject coin-miner malware on corporate networks. Worse yet, analysts said the cryptojacking software increasingly includes additional malicious payloads designed to exfiltrate data from compromised systems.
New Techniques
Meanwhile, Microsoft reports it detects crypto-mining malware on hundreds of thousands of endpoints every month via its Windows antivirus service. The company warns that these threats are becoming increasingly complex and evasive, using various techniques to infect a device. The three most common approaches are:
- Executable: These attacks typically leverage phishing or other social engineering techniques to implant malicious applications or executable files on unsuspecting users’ devices. The malware then uses system resources to mine cryptocurrencies.
- Browser-based: These miners are injected into legitimate websites, consuming resources through a user’s web browser for as long as the browser is open to that site.
- Fileless: These stealthy threats perform mining in a device’s memory and achieve persistence by hijacking tools such as “living-off-the-land binaries” (LOLBins) to evade detection. LOLBins are legitimate utilities, libraries, and other tools that are native to a given computing environment.
Microsoft reports that many of the cryptojacking threats it is monitoring use the fileless approach. Additionally, it reports that 85 percent of the fileless attacks leverage the Notepad text editor common to all Windows machines. Because Notepad is always available, users wouldn’t think twice about seeing it in a list of running processes.
Because no code is stored on the user’s computer and miners do no obvious damage to the device or data, cryptojacking is extremely hard to detect. Users might notice performance degradation, but it typically isn’t severe.
Nevertheless, the impact of cryptojacking is significant. In addition to diminishing user productivity, always-running crypto-mining processes can overheat batteries and destabilize other system components. Organizations can end up dedicating a lot of time, money, and resources to investigating performance problems and even replacing system components in an attempt to resolve the issue.
Identify and Block Threats
User education is one of the keys to reducing the risk of cryptojacking. Employees should understand what it is, the signs of infection, how it spreads, and the damage that can be done. Because devices can be exposed when users visit legitimate websites, organizations should also consider implementing anti-crypto jacking browser extensions such as No Coin and MinerBlock to help users detect and block these threats.
Intel’s Threat Detection Technology (TDT) is a very effective solution for exposing hidden crypto miners. Leveraging machine learning capabilities, TDT constantly scans CPUs and analyzes signals to detect patterns suggesting cryptojacking activity. Because this workload is offloaded to an integrated graphics processing unit, there’s no impact on system performance. When threats are detected, TDT sends a high-fidelity signal that triggers remediation workflows from endpoint detection and response solutions. For example, Microsoft Defender for Endpoint leverages TDT to identify and block cryptojacking threats at the software level.
“Cryptojacking is a growing threat that can sap system performance, increase operational costs, and even damage equipment,” said McClelland. “These criminals are getting their victims to pay for the underlying hardware and electricity so they can scale up by infecting thousands of other devices from other organizations including phones, routers, and Internet of Things devices. It can also provide a pathway for more malicious malware to infect systems and exfiltrate data. Organizations should conduct ongoing cybersecurity awareness training for employees and adopt a defense-in-depth strategy to mitigate these continuously evolving threats.”
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile