While 2021 will, unfortunately, play host to a wide variety of threats, it’s unlikely any factor will feature more prominently than cryptocurrency. Two types of attacks leverage cryptocurrency directly: extortion and cryptojacking.
Before cryptocurrency, cybercriminals worked a lot harder to get paid a lot less. Turning stolen personal information or credit cards into a paycheck was a long and labor-intensive process. Often, it involved buying and selling goods, shady forums, and hiring untrusted people to assist with parts of the process.
Much like legitimate markets, cybercrime identified these problems, innovated, and identified better methods. These new methods were more profitable, less risky, and had cryptocurrency at their center.
Cryptojacking is the act of using someone else’s computing resources to mine (generate) cryptocurrency. On the surface, it doesn’t seem terribly nefarious – cryptomining might cause some performance issues, reduce the life of systems a bit, or run up a cloud computing bill. Our friends at Cisco Umbrella tell a different story.
Artsiom Holub, Senior Security Analyst, and Austin McBride, Data Scientist, say that cryptojacking is often just the most visible activity. It is common for cryptojacking malware to also steal credentials. What initially seems like a benign miner, could be an early warning sign for something much more damaging, like a ransomware attack. Holub and McBride also identify two key delivery methods for cryptojacking:
- Software-based: these miners, for all intents and purposes are installed on systems in the same ways malware gets installed and will persist and survive reboots using similar methods. By running as a dedicated process on a system, they can cause more damage and lead to other types of attacks.
Cryptocurrency-enabled Cyber Extortion
Only a few years ago, ransomware was entirely opportunistic and automated, going after individuals and businesses alike. They’d encrypt files on the direct systems they’d get a foothold onto. They might also encrypt attached storage or adjacent file servers but would generally stop there. Ransoms would typically be in the hundreds or low thousands of US dollars (nearly always to be paid in cryptocurrency).
There has been a distinct shift in extortion strategies. Instead of opportunistically targeting individuals attackers now spend more time and effort to extort entire companies at a time, for a much larger payoff. The frequency of these attacks is increasing.
Cybercriminals have kept the opportunistic approach for the first part of the process – searching for working credentials, common vulnerabilities or spraying phishing emails to millions of addresses. When one of these approaches succeeds, the criminals no longer automatically deploy ransomware.
Instead, the rest of the process resembles a penetration test – often down to the tools used (Cobalt Strike is common). The attackers explore the infected organization to determine if it’s worth attacking (ability to pay and likelihood of paying seem to be the key criteria). They then carefully gain access to the internal network and deploy ransomware throughout.
Only when everything is in place do they kick off the process of encrypting files and sending ransom notes.
The full Enterprise Security Weekly interview includes a lot more detail about Cryptojacking and the latest extortion scams! Watch it here or visit https://securityweekly.com/ciscoumbrella for more information.
Also check out our upcoming Webcast with Cisco Umbrella: Top 7 Ways to Evaluate a SASE Service