Ransomware is No Longer the King of Malware!

7/9/2018

Remember a year ago when everyone was reeling from the Petya and WannaCry ransomware attacks? How at that time ransomware was top of mind for cybersecurity professionals and anyone else paying attention to IT security? We all rushed to make sure we’d closed up the EternalBlue flaw in Windows and took other measures that may have been far more extreme to prevent our systems from being encrypted by malware actors who then would demand a ransom to just get access to our own data? Remember that? It was only a year ago.

Things have changed. Ransomware IS a continuing major threat and many thousands of these types of infections still occur every month, but there is a relatively new type of malware, which doesn’t use the ‘in your face, encrypt your files’ flashy type of attack. No, the new king in the malware realm is known as cryptojacking. Never heard of it? No idea what it does? Let’s take a short (or maybe not so short 😊) jaunt into the basics of what cryptojacking is and the value it provides to malware authors.

A Quick Primer on Cryptocurrency

If you’ve been reading or listening to anything in IT or the financial sector in the past 3-4 years you’ve probably heard the term Bitcoin. Bitcoin is the most well-known example of a new type of currencies called cryptocurrencies. These are completely digital, no physical money required. They are not backed or controlled by any government or private company but are completely decentralized. Just as in the case of standard currencies, to ensure that the currencies don’t lose their value and that the integrity of all transactions can be maintained, there must be some type of ledger or record of all transactions.

First: Welcome to the Blockchain

Blockchain is the technology that serves as the method to create ledgers of these cryptocurrency transactions. With the blockchain ledger we have a secure record of all transactions that is visible to everyone and cannot be challenged because every participant in the blockchain has a cryptographically guaranteed copy of the complete ledger. The ledger isn’t stored in a bank or a group of government servers but is replicated to every computer (known as a node) in the blockchain network. Here is an example of how it works:

I decide to buy a car from my friend Joe. We agree on a price of 2 Bitcoins for the car. So, my computer broadcasts a message to all of the network that I have spent 2 Bitcoins and Joe has gained 2. In order to make sure that people don’t spend the same Bitcoins multiple times (or send out a message to delete a transaction after the seller has supplied the purchased goods) all transactions go through a process called nodes agreement. In nodes agreement multiple transactions are grouped together in what are called blocks. Each block has a specific number of transactions and is linked to the previous block. As more blocks are created and added together the result is a linked set of blocks, or blockchain. Once a transaction is in a block is has been confirmed as valid all nodes in the network agree to that validity. Transactions not yet in a block are considered unconfirmed. The validity of a transaction is checked by the nodes against existing blocks (for example to make sure I actually have 2 Bitcoins to give to Joe 😊) before it’s added to the block. Once in the block then the transaction is considered complete and cannot be changed or removed. It becomes part of the permanent ledger that is replicated to all systems in the network.

Next: Let’s Talk About Mining

Blocks can’t just be randomly added to the blockchain. In order for a node to add a block the node must first answer a highly complex mathematical problem. The answer is in the form of a hash function. In technology security a hash function is a type of encryption where information is encrypted but never meant to be decrypted. It’s one way, irreversible.

Here is the interesting part. The only way to answer the mathematical problem is by generating random values until you get a match for the hash function. No kidding. The nodes trying to solve the problem are literally guessing until they get it right. The acceptable answer is this hash function, that is combined with the previous block’s information to create a defined result (such as a value below a certain range). If your answer isn’t in the range you just keep guessing. Your average computer could solve this mathematical problem, but it would likely take a year or more. But thousands of computers tied together can solve it relatively quickly, and on average a new block is solved and added every 10 minutes.

As you could guess, this process takes some serious computing resources and a whole lot of electricity to both power these groups of computers and keep them sufficiently cooled.

But there is a benefit here. The first person to get a correct answer to add the new block is rewarded with some cryptocurrency. Basically, you get paid for being the first to solve the mathematical problem. Your payment is (in this case) receiving some Bitcoin (or whatever currency you are solving for).

The whole process of: 1) generating the random numbers to get the right answer (hash function), 2) creating a block to add to the chain and then 3) getting rewarded, is called cryptocurrency mining. You’re putting in all this effort (computer resources, power, etc.) to get cryptocurrency coins. So, you’re mining. Make sense? 😊 FYI these groups of computers are called mining pools. It’s much more complex than this short explanation, but it’ll do for our purposes. You’re welcome.

Got It. Tell Me About Cryptojacking

Mining for cryptocurrency can be lucrative. VERY lucrative. As of the time of this writing ONE Bitcoin is worth over $6,500 in United States Dollars. Not bad for 10 minutes work. The highest ever recorded value of Bitcoin was just under $20,000. FOR ONE COIN! The value changes literally every second (but many websites just update the value once per minute). With such highly valuable commodities that fluctuate wildly over time there is an opportunity to make (or lose) a lot of money in a very short amount of time.

Unsurprisingly, malware actors want to make as much money as possible without spending their own cash to buy computers to create mining pools. What’s an enterprising malware actor going to do? Simple, use other people’s computers. Malware is created (or purchased relatively cheaply) to infect these systems and add them to the network to help solve those complex mathematical problems. The computers are effectively hijacked to mine for the cryptocurrency. This process of hijacking computers to do cryptocurrency mining is called cryptojacking.

For the malware actors cryptojacking is a MUCH better way to make money, as they now have a reliable revenue stream without all the hassle of trying to convince people to pay ransoms. Therefore, it makes financial sense to them to increase cryptojacking attacks. They pay more, contain less overhead and can be mostly automated.

Ok, What Can I Do?

First, these attacks are not as obvious as ransomware. There is no screen that pops up demanding you pay money to stop the attack. However you may notice that your systems have decreased significant in performance or your electricity usage has skyrocketed. Both of these are indications that cryptomining malware may be hijacking your resources.

The good news is that according to US-CERT (the United States Computer Emergency Readiness Team), many of our existing protection strategies will help in defending against cryptojacking. These include:

  • Current anti-virus software
  • Regularly scheduled operating system and application patching
  • Strong passwords, passphrases or, best of all, multifactor authentication
  • Changing default usernames and passwords on systems and devices
  • Reviewing and locking down system policies and privileges
  • Using application whitelisting
  • Avoid download content from the Internet as much as possible, being sure to only download from known good websites AND scanning all downloads for malicious content
  • Disable unnecessary services
  • Deploy systems with a pre-tested image and have automated processes in place to remove undesired applications
  • Perform input validation for web-based applications
  • Use hardware firewalls at the perimeter of the network, create a DMZ, place other hardware firewalls at appropriate network segments and run software-based firewalls with central management on all endpoint systems
  • Use blacklists to block known malware sites
  • Use intrusion detection and prevention systems to detect and eliminate attacks in progress

The other strategies specific to cryptojacking include:

  • Monitor inbound and outbound traffic for anomalous patterns indicative of cryptomining
  • Have a baseline of normal performance on systems for processor, network and memory utilization to detect when cryptojacking malware may be affecting the system
  • Track electricity usage over time and investigate any changes from expected patterns.

Conclusion

Cryptojacking attacks are relatively new, and may be more challenging to detect and eradicate, but your standard protections with a few changes can be fairly effective. However due to the fact that these attacks don’t have a long history, malware actors will be refining their methods in order to better evade detection and removal over time. Be vigilant in staying current on the latest security methods and protections to keep this insidious malware from hijacking your systems!

Want to learn more about cybersecurity and how the top companies and government organizations protect their networks, systems, data and people? Check out our NIST Cybersecurity Framework courses!