Since Q3 of 2017 SecureLink CDC is actively tracking “cryptojacking” malware infections. In January of 2018 cryptojacking overtook ransomware in numbers. Progressing into Q1 this trend continues. What does this mean, and what’s the impact of being infected with a parasite, rather than a virus?

A quick recap
We’re comparing ransomware (ransoming files for extortion purposes) to cryptojacking (running a process on your host, using your CPU cycles to do cryptocurrency mining).

Ransomware is destructive, encrypting your files with the promise you get them back after payment. Thing is, the vast majority of victims do not pay, so they either lose their files or lose a lot of time restoring them from backup. There’s either destruction or productivity loss. Wannacry & Notpetya have not only destroyed files, but the business model, too. Paying victims didn’t get their files back, which is why no-one trusts criminals anymore. It’s a safe bet future ransomware attacks will be about destruction rather than making money, in activist and nation state territory rather than cybercrime.

Cryptojacking seems friendlier altogether. People with a positive mindset will argue it only steals CPU cycles (ieelectricity) and sends the outcome of the calculations to a central hub.

Whereas ransomware is almost always operated from a traditional botnet infrastrcuture, cryptojacking can be run from botnets, from the browser (as ad replacements), from bespoke hacking efforts, and last but not least: operated from your own personnel. In this article, we’re considering the botnet assisted variant.

A quick timeline
A year ago, we wrote about incidental coin miners seen in isolated cases. Before that, there’s been litecoin mining and other attempts which weren’t very fruitful. Over the last months, mining efforts have increased tremendously, with ZDNet reporting a botnet of half a million nodes, called Smominru. Criminals favor Monero, which is logical as transactions aren’t as traceable as, let’s say, bitcoin. Monero is a superior money laundry technology.

If we extrapolate our trend lines, ransomware will all but disappear within the next months. That said, extrapolation is seldom a good prediction method. On top of that, new destructive types of malware like Olympic Destroyer, riddled with false flags pointing to NKO, doesn’t even pretend to be ransomware. It just breaks stuff.

Virus vs parasite
Aware of the fact biology was never my strongest class, one of the differences between ransomware and cryptojacking is of course the absence of destruction in the latter. A parasite needs the host to stay alive, and cryptojacking needs the CPU and surrounding hard- and software to generate the calculations and report them to the central mining pool.

Boardroom attention
When the big ransomware attacks broke out in 2017, there was tremendous press attention. Everyone in infosec stood in front of cameras and microphones and explained to the world how bad all of this was. For what it’s worth, boards took notice. When I ask CISO’s what their biggest worries are, they say “ransomware and GDPR”. Many CISO’s have happily leveraged Wannacry, Notpetya and the likes to get board face time and secure budgets.

When Smoninru happened, articles were nonchalantly published on page 18, as people assessed the risk to be a slightly higher electricity bill.

A false sense of security
The question is: if you’re infected with a parasite, do you shrug your shoulders, and trust the parasite to keep you alive? Or should you start binging antibiotics like a boss, to eradicate the energy sapping threat from your body?

Let’s not forget Monero mining is just an MO, and unlike a parasite, any malware can pull down a new payload, completely changing it’s behaviour.

Let’s be realistic, but let’s not be lulled in a false sense of security because operational losses due to malware are going down.

2018-04-05T14:52:05+00:00 March 16th, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group
SecureLink Belgium