Earlier this year, a report from Symantec Threat Intelligence showed how cryptomining operations had slowly gained prominence over other tactics used by cyber-criminals to earn money. Incidents of cryptomining rose by 1,200 percent in the UK in the first few months of the year, making it among the top cyber concerns for both enterprises and individuals according to the report.
Now a new report from Skybox Security, Vulnerability and Threat Trends Report shows use of cryptomining by cyber-criminals for personal gain hasn't abated. Between January and June this year, malicious cryptomining accounted for 32 percent of all attacks while ransomware attacks accounted for just eight percent.
Compare this with the last six months of 2017 when ransomware accounted for 32 percent of attacks while malicious cryptominers accounted for just seven percent. Such a quick turnaround in criminals' preference for cryptomining suggests how effective and lucrative such operations have been for them in the recent past .
"In the last few years, ransomware reigned supreme as the shortcut money-maker for cyber-criminals. It doesn’t require data exfiltration, just encryption to hold the data hostage and a ransom note of how the victim can pay up. With cryptominers, the criminals can go straight to the source and mine cryptocurrency themselves. There’s no question of if they’ll be paid or not," said Ron Davidson, CTO and vice president of R&D at Skybox.
According to Skybox, the rise in cryptomining at the cost of ransomware could also be because many organisations have put effective precautions in place to detect and prevent ransomware attacks and have also ensured they have reliable back-ups to prevent the loss of sensitive data to such attacks and to avoid paying ransom to attackers.
Commenting on the preceived harmlessness of cryptomining attacks compared to ransomware attacks, Liron Barak, CEO and co-founder of BitDam told SC Magazine UK that cyber-criminals prefer cryptomining as these are stealthy attacks which can stay under the radar and don't interrupt the organisations' work flow too much, unlike "regular" ransomware attacks, while still getting their fiscal value through the extra mining resources available to them.
Javvad Malik, security advocate at AlienVault, said that the process of carrying out cryptomining is also much easier than carrying out a ransomware attack. "In many ways cyber-criminals operate in the same way as regular businesses in that they are after the biggest return on investment with the least amount of effort.
"For many, ransomware can involve multiple steps including setting up of cryptocurrency wallets to receive payment, or negotiating payment with affected parties. With cryptominers, the steps to guaranteed revenue are much reduced as it only involves installing the malware to mine currencies," he said.
When asked if there is less focus on cryptomining compared to ransomware attacks because they seem to be harmless, Giovanni Vigna, co-founder and CTO of Lastline, told SC Magazine UK that many security tools are not as concerned with cryptomining as they see them more as a nuisance than a real threat. However, malicious software installed on an enterprise endpoint is a first bridge-head into a company’s infrastructure regardless of the type of threats.
He added that organisations' spending on cyber-security should focus on detecting and isolating malware as this will stop both cryptomining and ransomware attacks and will also prevent cyber-criminals from gaining access to enterprise endpoints.
Matt Walmsley, EMEA Director at Vectra, told SC Magazine UK that the surge in cryptomining attacks is because of the financial opportunities that arise from cryptocurrency market values and the anonymity of the transactions. There is also less complexity and risk in the process between execution and monetisation due to there being no human victim interaction required in the process.
"Organisations need to ensure they do not constrain legitimate organisational digital activities but must improve their ability to quickly detect and definitively respond to cyber threats. By looking to AI to automate the detection of and response to cryptojacking, and other attacker behaviours, enterprises can get ahead of attacks and consequently better manage their cyber-risk," he added.
The report from Skybox Security also found that cyber-criminals have started exploiting new vulnerabilities in mobile platforms to launch cryptomining attacks. Google's Android platform logged 200 more vulnerabilities between January and June than in the last six months of 2017, thereby giving criminals the opportunity to target the App Store and infect billions of devices with cryptomining malware masquerading as genuine apps.
The firm also warned about the threat from cyber-criminals injecting mining malware via web browsers. "Out of all software today, web browsers are considered the most prone to malicious attacks. They constantly interact with websites and applications that cyber-criminals have infected with malware like cryptominers and other threats via the web, which are notoriously difficult to detect.
"The cryptomining malware could be active as long as the web session is active, and ‘file-less’ cryptominers also can hide from conventional security tools as there’s no download or attachment to analyse," said Marina Kidron, director of threat intelligence at Skybox.