Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/3/2018
10:30 AM
Jay Kelley
Jay Kelley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ransomware vs. Cryptojacking

Cybercriminals are increasingly turning to cryptojacking over ransomware for a bigger payday. Here's what enterprises need to know in order to protect their digital assets and bank accounts.

Cryptojacking is catching up to ransomware as the most popular attack vector, according to a number of recently published research reports. To be sure, ransomware is still prevalent and dangerous to businesses and households. But cryptojacking is definitely gaining ground.

What does that mean for security teams? Before I go any further, let me set the record straight about cryptomining and cryptojacking.

  • Cryptomining is the action of mining cryptocurrencies, such as bitcoin, ether (from Ethereum), Ripple, Litecoin, Monero, and one (or more) of over 1,600 other cryptocurrencies currently available from numerous sources. 
  • Cryptojacking is illegally mining cryptocurrencies. It involves stealing by leveraging the computer and graphics processing power from unsuspecting users’ devices to mine crypto, without their permission or knowledge. It can also involve stealing already mined cryptocurrency from another’s crypto wallet. There are countless ways for attackers to cryptojack cryptocurrency, and all of them not on the up-and-up.

While ransomware has been the "go to" play for attackers for some time, ransomware can be complicated. It typically involves a great deal of research, reconnaissance, social engineering, and technical acumen. It can take time to develop the malware to deliver the ransomware, not to mention the ransomware itself. And, the payouts, while once lucrative, have now become smaller and smaller, with some companies, educational institutions, and municipalities refusing to pay the ransom, leaving the attacker without what they wanted in the first place: quick, untraceable cash.

Cryptojacking, on the other hand, is not as time consuming or difficult. The most common cryptojacking attack is one in which an attacker simply leverages a legitimate cryptomining program, likely in JavaScript; finds a website running a vulnerable server – which is much more common than you would like or hope to believe; and infects the website with the mining program. Then, every user that visits that website will have the cryptomining program installed in the background, , and the attacker will leverage the computing and graphics power from that user’s device to mine cryptocurrencies. Done over and over again daily, the attacker can have many, many computers mining crypto for them, unbeknownst to any of their users.

A user might say, "so what?" After all, their device hasn’t been infected with malware, like ransomware. All the attacker is stealing is a little power; so, what’s the problem? But, the user will experience the problem firsthand when their system slows to a crawl, and accessing anything on their device becomes exponentially more difficult. It’s even worse if the user’s device has been cryptojacked by a novice; they could max out the performance of the CPU on the device to try and solve more of the complex, sophisticated mathematics problems it takes to mine crypto. That would put the computer at risk, possibly destroying it in the process.

Now, imagine the same situation, but instead in a corporate data center. Imagine if all of the servers had cryptomining software loaded on them, and were simply churning through the math problems to mine crypto. Corporate services would slow down, causing lost productivity, at best. At worst, if that same situation were to happen at, say, a data center for an electrical utility, it could cause a brownout or a blackout, since the services would be running slower and slower, as the computations increase as crypto is being mined. If the target was a healthcare provider’s data center, and access to electronic health records (EHR) slowed to a crawl, it could mean the difference between life and death.

As more attackers move to cryptojacking, they are also looking for new and foolproof ways to gain access to processing and graphics power. It has now become so difficult to solve the math that leads to a bitcoin payout (which cannot be made on just a single bitcoin, but on a bitcoin block; the number of bitcoins per block – which comprise a blockchain – varies, but has been in the 12+ bitcoin range), most serious miners use hundreds of specific, expensive ASIC-based mining systems. But, it’s far easier to mine ether or litecoin, or any of the other cryptocurrencies available.

Plus, for the attackers, the payout is much higher, and has a better guarantee of payoff than ransomware, at this point. The return on cryptocurrencies may continue to be volatile, but at least the outcome is certain: There will be a “payday” for the attacker, in untraceable currency, which is not assured anymore when it comes to ransomware demands.

How can businesses protect themselves and their devices from cryptojacking? Here are five places to start:

  1. Determine if the on-device processes are consuming mass quantities of device resources, or it is coming from a browser-based miner. Check CPU and GPU usage on computing devices.
  2. Block JavaScript on the browser. This will work, but could be very limiting, as JavaScript is used in many web-based applications and on websites.
  3. Keep patches updated. This should go without saying; but, unfortunately, it needs to be stated and restated.
  4. Use an anti-malware program or service that blocks cryptominers, and/or download a cryptominer blocking plug-in for your browser. But be forewarned: these programs and services can be usurped and fooled into complacency.
  5. Employ web browser isolation, which should block any active content, such as JavaScript, from being downloaded directly to a user’s device, but should also allow any active content to remain active, possibly by re-rendering it in safer code.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jay Kelley is senior product and digital marketing manager for Menlo Security, Inc., responsible for the company's social media presence, go-to-market strategy and execution, vertical market-focused materials, and marketing content development. Prior to Menlo, Jay was senior ... View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20491
PUBLISHED: 2021-04-16
IBM Spectrum Protect Server 7.1 and 8.1 is subject to a stack-based buffer overflow caused by improper bounds checking during the parsing of commands. By issuing such a command with an improper parameter, an authorized administrator could overflow a buffer and cause the server to crash. IBM X-Force ...
CVE-2021-22539
PUBLISHED: 2021-04-16
An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint *.bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recommend...
CVE-2021-31414
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
CVE-2021-26073
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
CVE-2021-26074
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...