Relatively benign, cryptomining is displacing ransomware – but that’s not necessarily a good thing

Cybercriminals’ surging interest in cryptocurrency miners has seen the quickly-evolving technique apparently displacing ransomware, a new analysis has found, as instigators work to keep ahead of enterprises’ slowly-maturing information defences.

Global crypto miner prevalence increased by 130 percent between September 2017 and January 2018, according to a new Bitdefender report that noted many attacks are piggybacking new code on top of proven exploits like the EternalBlue code that spawned last year’s WannaCry and NotPetya mega-attacks.

Once they’ve penetrated corporate defences, many cryptocurrency miners are actively seeking out powerful company servers – which were targeted in 51 percent of observed cryptomining attacks – and there have been reports of crypto-mining attacks exploiting industrial control systems (ICS) and SCADA platforms.

Instigators often adopt obfuscation techniques to avoid detection. This might, for example, include throttling CPU usage during working hours or regularly rotating mining activities around a pool of computers to avoid creating obvious hotspots of high CPU activity.

“With ransomware it’s more difficult to make money because you have to create new ransomware samples, send out email attachments and wear the high probability that the victim might not open the attachment,” Bitdefender senior e-threat analyst Liviu Arsene told CSO Australia.

With browser-based coin miners easy to deploy on compromised Web sites – one recent audit found more than 50,000 such sites, and Bitdefender’s review found sites compromised in 37 percent of cases – cybercriminals have already realised that the model delivers guaranteed wins, compared with the hit-or-miss nature of ransomware.

Little wonder that browser-based cryptocurrency miners, such as CoinHive or the Monero JavaScript miner, have surged in popularity by more than 3000 percent over the last 12 months. “With coin miners, you get immediate ROI,” Arsene explained.

“Even if the victim has been visiting your Web sites for just 30 seconds, he will mine some crypto for you. And if you manage to infect an endpoint and move laterally, or infect the VDIs, at some point you can infect the entire infrastructure and start mining coin on virtual servers.”

High-capacity virtual infrastructure is particularly appealing to cybercriminals not only because it has so much available computing capacity, but because cloud infrastructure is designed to automatically spawn more virtual servers if CPU usage increases. This means that, compared with a conventional on-premises data centre, an infected cloud environment will simply spawn more and more coin-mining servers as CPU usage steadily grows.

That highly-scalable architecture also means that victims may have no idea they have been compromised until they receive a bill for all the extra virtual servers that were spawned by the coin-mining software; by that point, the cybercriminals have already reaped the benefits.

The rise of cryptocurrency miners has been correlated with a decline in the popularity of ransomware, which Bitdefender said dropped by 17.52 percent between November and December 2017.

Even though many crypto-currency miners may seem relatively innocuous – they are, by design, not destructive since they rely on working computers to function – they should not be taken lightly, Arsene warns.

A crypto-miner infection, particularly one that spreads across a virtual or physical infrastructure, likely heralds a vulnerability that may be leaving the business exposed to other, more malicious attack. Its detection should be taken seriously and acted upon immediately, with the chance of broader infections always kept in mind.

“Cybercriminals have so many options at their disposal right now,” said Arsene, “that all they need to do is to figure out how they can maximise their efforts in the shortest amount of time.”