Attacks/Breaches

7/3/2018
10:30 AM
Jay Kelley
Jay Kelley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ransomware vs. Cryptojacking

Cybercriminals are increasingly turning to cryptojacking over ransomware for a bigger payday. Here's what enterprises need to know in order to protect their digital assets and bank accounts.

Cryptojacking is catching up to ransomware as the most popular attack vector, according to a number of recently published research reports. To be sure, ransomware is still prevalent and dangerous to businesses and households. But cryptojacking is definitely gaining ground.

What does that mean for security teams? Before I go any further, let me set the record straight about cryptomining and cryptojacking.

  • Cryptomining is the action of mining cryptocurrencies, such as bitcoin, ether (from Ethereum), Ripple, Litecoin, Monero, and one (or more) of over 1,600 other cryptocurrencies currently available from numerous sources. 
  • Cryptojacking is illegally mining cryptocurrencies. It involves stealing by leveraging the computer and graphics processing power from unsuspecting users' devices to mine crypto, without their permission or knowledge. It can also involve stealing already mined cryptocurrency from another's crypto wallet. There are countless ways for attackers to cryptojack cryptocurrency, and all of them not on the up-and-up.

While ransomware has been the "go-to" play for attackers for some time, ransomware can be complicated. It typically involves a great deal of research, reconnaissance, social engineering, and technical acumen. It can take time to develop the malware to deliver the ransomware, not to mention the ransomware itself. And the payouts, while once lucrative, have now become smaller and smaller, with some companies, educational institutions, and municipalities refusing to pay the ransom, leaving the attacker without what they wanted in the first place: quick, untraceable cash.

Cryptojacking, on the other hand, is not as time consuming or difficult. The most common cryptojacking attack is one in which an attacker simply leverages a legitimate cryptomining program, likely in JavaScript; finds a website running a vulnerable server — which is much more common than you would like or hope to believe — and infects the website with the mining program. Then, every user that visits that website will have the cryptomining program installed in the background, and the attacker will leverage the computing and graphics power from that user's device to mine cryptocurrencies. Done over and over again daily, the attacker can have many, many computers mining crypto for them, unbeknownst to any of their users.

A user might say, "so what?" After all, their device hasn't been infected with malware, like ransomware. All the attacker is stealing is a little power; so, what's the problem? But the user will experience the problem firsthand when his or her system slows to a crawl, and accessing anything on the device becomes exponentially more difficult. It's even worse if the user's device has been cryptojacked by a novice; the user could max out the performance of the CPU on the device to try and solve more of the complex, sophisticated mathematics problems it takes to mine crypto. That would put the computer at risk, possibly destroying it in the process.

Now, imagine the same situation, but instead in a corporate data center. Imagine if all of the servers had cryptomining software loaded on them and were simply churning through the math problems to mine crypto. Corporate services would slow down, causing lost productivity, at best. At worst, if that same situation were to happen at, say, a data center for an electrical utility, it could cause a brownout or a blackout, since the services would be running slower and slower, as the computations increase as crypto is being mined. If the target was a healthcare provider's data center, and access to electronic health records (EHR) slowed to a crawl, it could mean the difference between life and death.

As more attackers move to cryptojacking, they are also looking for new and foolproof ways to gain access to processing and graphics power. It has now become so difficult to solve the math that leads to a bitcoin payout (which cannot be made on just a single bitcoin, but on a bitcoin block; the number of bitcoins per block — which make up a blockchain — varies, but it has been in the 12+ bitcoin range), most serious miners use hundreds of specific, expensive ASIC-based mining systems. But it's far easier to mine ether or bitcoin, or any of the other cryptocurrencies available.

Plus, for the attackers, the payout is much higher, and has a better guarantee of payoff than ransomware, at this point. The return on cryptocurrencies may continue to be volatile, but at least the outcome is certain: There will be a "payday" for the attacker, in untraceable currency, which is not assured anymore when it comes to ransomware demands.

How can businesses protect themselves and their devices from cryptojacking? Here are five places to start:

  1. Determine if the on-device processes are consuming mass quantities of device resources or coming from a browser-based miner. Check CPU and GPU usage on computing devices.
  2. Block JavaScript on the browser. This will work, but could be very limiting, as JavaScript is used in many web-based applications and on websites.
  3. Keep patches updated. This should go without saying, but, unfortunately, it needs to be stated and restated.
  4. Use an anti-malware program or service that blocks cryptominers and/or download a cryptominer-blocking plug-in for your browser. But be aware: these programs and services can be usurped and fooled into complacency.
  5. Employ web browser isolation, which should block any active content, such as JavaScript, from being downloaded directly to a user's device but should also allow any active content to remain active, possibly by re-rendering it in safer code.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jay Kelley is senior product and digital marketing manager for Menlo Security, Inc., responsible for the company's social media presence, go-to-market strategy and execution, vertical market-focused materials, and marketing content development. Prior to Menlo, Jay was senior ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.