This last year you couldn’t turn on the TV, look at social media, or visit your favorite internet news source without being faced with another story of a ransomware compromise. These attacks are highly destructive and largely driven by financial gain. Threat trends and methods to “make a quick buck” will continue, while new methodologies rise to the forefront. Based on recent observations, I believe the new trend to watch for could be cryptocurrency.
I have seen a notable uptick in cryptocurrency miners being delivered via various attack techniques, to various targets. These observations are both directly from attacks my team has observed in the wild, as well as research by other security teams. Even highly public breaches like that of the Tesla systems resulted in the delivery of a miner as the final payload. This trend leads me to believe that the focus of financially motivated adversaries and botnets will move away from ransomware as the primary payload. I am not hypothesizing that ransomware is going away, but that miners will become a more frequently observed payload.
My hypothesis for a spike in cryptomining is based on three points:
1. Ransomware’s high visibility could lead to its downfall.
Ransomware gets the attention of popular media because it is so disruptive. Recently, the Colorado Department of Transportation was forced to take 2,000 endpoints offline when the SamSam variant of ransomware hit their system. An attack like this potentially impacts critical infrastructure and involves the participation of law enforcement, as the CDOT attack involved both the FBI and Colorado National Guard.
In the past, this type of visibility has led to the downfall of many criminal organizations. Furthermore, ransomware tends to be a one-time payout per compromised target. If an adversary can continue to earn from a single target over time, versus a one-time ransom payout, there is the chance for longer term gains. As a result, I believe that criminal organizations will jump on cryptocurrency as the malware payload. Cryptominers represent a low-friction way to make money with minimal victim interaction. By contrast, ransomware requires a high level of victim interaction for success.
2. Everyone is on the lookout for ransomware.
If you draw significant attention to yourself, authorities are going to pay attention. Back to the first point: because of the sheer destructiveness of ransomware, everyone is highly focused on it. If you are trying to be sneaky, running malware that even my grandmother knows about is not your best solution.
In contrast, miners introduce little in the way of destruction, other than the cost of system resources used for processing. Cryptomining is built for distributed processing, which is where botnets shine; it’s more subtle, and provides a better long term return on investment. In addition, cryptominers often require no special administrator permissions to be introduced into the environment. This means adversaries can quickly drop them on systems with user-level permissions via phishing emails with document attachments, or by web server exploits.
3. Cryptocurrency is highly lucrative.
There is currently a significant amount of investment in various forms of cryptocurrency. If the overall goal is to make money that is hard to trace, cryptocurrency is spot on. The market growth around cryptocurrency has been phenomenal. Look at the history of Bitcoin and the rapid appreciation of value. Even ransomware requests payment in Bitcoin. Cryptocurrency has even made its way into the fast food market. Currently blockchain transactions are also quite difficult to track, making them a solid choice for criminal transactions.
Key Takeaways: 5 Tips to Mitigate Attacks
So will cryptocurrency miners overtake ransomware? Time will tell. Either way, there are a few key lessons for defenders. Regardless of any specific payload, many of the techniques and mitigations of these attacks remain the same. Specific to the attacks my team has recently observed, I recommend the following actions:
1: First and foremost, be aware.
Don’t lose focus because cryptocurrency miners don’t have the same high-level visibility of a ransomware attack. The execution of a cryptominer, just like ransomware before it, is a symptom of a larger issue that allows payload delivery onto endpoints on the network. As defenders, our focus remains the same: to concentrate on the behaviors that lead to the payload delivery, prevent what we can, and ensure we have the visibility to detect and remediate everything we cannot prevent.
2: Use good IT hygiene.
All this translates to good IT hygiene. Make sure you are hardening your systems by running permissions with the principle of least-privilege. Do not expose systems with default configurations and weak access controls to the larger network.
3: Encourage safe browsing and use internet access control tools.
4: Deploy application whitelisting.
Application whitelisting is one of the best preventive controls you can deploy to reduce attack surface. It will not solve everything, but it will provide you with more control to block attacks when they do happen. Furthermore, this helps to prevent sources of compromise such as users downloading untrusted applications via peer-to-peer sharing or other untrusted distribution sources. When implemented at the server infrastructure level, this control can potentially stop the execution of cryptominers and other payloads even if the payloads are delivered to the target.
5: Implement proper configuration and patch management.
Many of the recent attacks my team has observed have been targeting web-based servers that either had unpatched vulnerabilities or were deployed with weak controls and configurations. Make sure you have consistent hardening and patching guidelines, and that you know what systems are on your network. This is key to understanding where risk exists.
Cryptominers are more subtle than ransomware and do not have the same destructive shock impact; however, they do represent a compromise, and are massively lucrative to the adversary. Cryptominers indicate an intrusion to the environment, whereby those administering the network have lost control. While computing and energy resources are being siphoned off, this may have a large or small impact, depending on the network and the amount of compromised machines. However, it is important to understand that there is an overall loss of control and accountability. This loss of control could lead to further lateral movement by the adversary, or loss of access to proprietary data. This is why it is important to secure the network and understand processes occurring on endpoints.
I hope this post helps to give an early warning of what may be the latest trend in malware focused on financial gain. This topic is something we’re keeping an eye on, and my team will be following up with posts on interesting attacks we’ve seen using a cryptocurrency payload, such as a cryptominer that was installed on a webserver and took steps to begin a patching program.
To make sure you get the latest articles, subscribe to our blog below.