Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/3/2018
10:30 AM
Jay Kelley
Jay Kelley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ransomware vs. Cryptojacking

Cybercriminals are increasingly turning to cryptojacking over ransomware for a bigger payday. Here's what enterprises need to know in order to protect their digital assets and bank accounts.

Cryptojacking is catching up to ransomware as the most popular attack vector, according to a number of recently published research reports. To be sure, ransomware is still prevalent and dangerous to businesses and households. But cryptojacking is definitely gaining ground.

What does that mean for security teams? Before I go any further, let me set the record straight about cryptomining and cryptojacking.

  • Cryptomining is the action of mining cryptocurrencies, such as bitcoin, ether (from Ethereum), Ripple, Litecoin, Monero, and one (or more) of over 1,600 other cryptocurrencies currently available from numerous sources. 
  • Cryptojacking is illegally mining cryptocurrencies. It involves stealing by leveraging the computer and graphics processing power from unsuspecting users' devices to mine crypto, without their permission or knowledge. It can also involve stealing already mined cryptocurrency from another's crypto wallet. There are countless ways for attackers to cryptojack cryptocurrency, and all of them not on the up-and-up.

While ransomware has been the "go-to" play for attackers for some time, ransomware can be complicated. It typically involves a great deal of research, reconnaissance, social engineering, and technical acumen. It can take time to develop the malware to deliver the ransomware, not to mention the ransomware itself. And the payouts, while once lucrative, have now become smaller and smaller, with some companies, educational institutions, and municipalities refusing to pay the ransom, leaving the attacker without what they wanted in the first place: quick, untraceable cash.

Cryptojacking, on the other hand, is not as time consuming or difficult. The most common cryptojacking attack is one in which an attacker simply leverages a legitimate cryptomining program, likely in JavaScript; finds a website running a vulnerable server — which is much more common than you would like or hope to believe — and infects the website with the mining program. Then, every user that visits that website will have the cryptomining program installed in the background, and the attacker will leverage the computing and graphics power from that user's device to mine cryptocurrencies. Done over and over again daily, the attacker can have many, many computers mining crypto for them, unbeknownst to any of their users.

A user might say, "so what?" After all, their device hasn't been infected with malware, like ransomware. All the attacker is stealing is a little power; so, what's the problem? But the user will experience the problem firsthand when his or her system slows to a crawl, and accessing anything on the device becomes exponentially more difficult. It's even worse if the user's device has been cryptojacked by a novice; the user could max out the performance of the CPU on the device to try and solve more of the complex, sophisticated mathematics problems it takes to mine crypto. That would put the computer at risk, possibly destroying it in the process.

Now, imagine the same situation, but instead in a corporate data center. Imagine if all of the servers had cryptomining software loaded on them and were simply churning through the math problems to mine crypto. Corporate services would slow down, causing lost productivity, at best. At worst, if that same situation were to happen at, say, a data center for an electrical utility, it could cause a brownout or a blackout, since the services would be running slower and slower, as the computations increase as crypto is being mined. If the target was a healthcare provider's data center, and access to electronic health records (EHR) slowed to a crawl, it could mean the difference between life and death.

As more attackers move to cryptojacking, they are also looking for new and foolproof ways to gain access to processing and graphics power. It has now become so difficult to solve the math that leads to a bitcoin payout (which cannot be made on just a single bitcoin, but on a bitcoin block; the number of bitcoins per block — which make up a blockchain — varies, but it has been in the 12+ bitcoin range), most serious miners use hundreds of specific, expensive ASIC-based mining systems. But it's far easier to mine ether or bitcoin, or any of the other cryptocurrencies available.

Plus, for the attackers, the payout is much higher, and has a better guarantee of payoff than ransomware, at this point. The return on cryptocurrencies may continue to be volatile, but at least the outcome is certain: There will be a "payday" for the attacker, in untraceable currency, which is not assured anymore when it comes to ransomware demands.

How can businesses protect themselves and their devices from cryptojacking? Here are five places to start:

  1. Determine if the on-device processes are consuming mass quantities of device resources or coming from a browser-based miner. Check CPU and GPU usage on computing devices.
  2. Block JavaScript on the browser. This will work, but could be very limiting, as JavaScript is used in many web-based applications and on websites.
  3. Keep patches updated. This should go without saying, but, unfortunately, it needs to be stated and restated.
  4. Use an anti-malware program or service that blocks cryptominers and/or download a cryptominer-blocking plug-in for your browser. But be aware: these programs and services can be usurped and fooled into complacency.
  5. Employ web browser isolation, which should block any active content, such as JavaScript, from being downloaded directly to a user's device but should also allow any active content to remain active, possibly by re-rendering it in safer code.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jay Kelley is senior product and digital marketing manager for Menlo Security, Inc., responsible for the company's social media presence, go-to-market strategy and execution, vertical market-focused materials, and marketing content development. Prior to Menlo, Jay was senior ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.