Is stealth cryptomining set to overtake ransomware campaigns? A glimpse into the shifting mindset of cybercriminals

The ransomware business has been a lucrative money-making business for cybercriminals in recent years – an increasingly sophisticated menace that has cost government agencies, businesses and individuals plenty of heartache and billions of dollars. While this threat is not going away anytime soon, hackers are pivoting towards another appealing option to generate ill-gotten revenue – cryptomining.

As the value, popularity and usage of cryptocurrencies continue to skyrocket, despite its extremely volatile market, attackers have been shifting towards stealthy cryptocurrency mining campaigns as opposed to more public-facing ransomware campaigns.

Researchers have observed a steady uptick in attacks focusing on cryptocurrency-mining tools that quietly drain victims’ CPU resources, without their knowledge or consent, to generate digital coins. The damage caused by this resource-intensive process has ranged from being an irksome process that slows down infected machines to a critical issue that has caused systems to crash and bring businesses to a standstill.

The bigger payout

According to Cisco’s Talos researchers, there has been a significant increase in the volume of cryptocurrency mining software being delivered to victims globally through vulnerable IoT devices, websites, easy-to-use Javascript APIs and mobile devices. In May 2017, Recorded Future identified 62 types of mining malware put up for sale on the Dark Web with prices ranging from $50 to as much as $850.

“In this business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom,” Talos researchers said. “Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective.”

“To put the financial gains in perspective, an average system would likely generate about $0.25 of Monero per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate $500 per day or $182,500 per year.”

The rise and growth of botnets ensnaring millions of infected systems, particularly exposed IoT devices, could also further push potential annual revenues towards the millions.

Hands-off approach

Besides turning millions of infected systems into lucrative cash cows and reaping a handsome amount of revenue in the process, malicious mining has risen in popularity among cybercrooks for several reasons. Once a miner has been dropped onto a system via phishing emails, malicious documents or web-server exploits, attackers have little to do with its daily running. Undetected by most users, the miner will continue to silently suck energy resources leading to a larger payout for the attackers over time rather than a one-time payout in the case of ransomware.

The cost, systems resources and hardware invested in creating and running a miner falls squarely on the shoulders of the victim and his or her device while the cybercrook receives a steady illegal income without the inherent risks. While cryptomining remains a largely stealthy attack, larger ransomware campaigns have caught the eye of law enforcement and media making it more likely for users to be on the lookout for it.

Meanwhile, cybercriminals have continued to incorporate more sophisticated capabilities, infection and propagation techniques, persistence and evasion mechanisms into cryptomining malware and worms. A slew of popular, high-traffic websites from Showtime and Politifact to the public Wi-Fi network at a Buenos Aires Starbucks have fallen victim to cryptojacking software. They have also been experimenting with various cryptocurrencies from Monero to Zcash for the most profitable outcome.

Rising to the top

Check Point’s latest Global Threat Index noted that cryptomining malware has swiftly risen to become one of the top ten most prevalent malware targeting enterprises, implacting 55% of organizations globally. Popular cryptominers like Coinhive and Cryptoloot have already made it to the top three most prevalent malware threats.

Will mining malware ever overtake ransomware as a go-to method for cybercriminals to make a quick buck? Researchers are still cautiously skeptical for the immediate future. However, they have already seen a notable change in the mindset and approach of attackers towards cryptomining as a faster, more profitable money-making scheme.

“For the first time in the last two years, we are seeing a shift in cybercriminal mentality and a growing skepticism for widespread ransomware campaigns,” Recorded Future said. “As international law enforcement shows exceptional determination, successfully dismantling several highprofile marketplaces and arresting longtime members of the criminal underground, malicious actors are willing to accept less lucrative, but almost risk-free business model.”