By Andy Norton
Some cyberattacks are known to be particularly destructive. For example, Wipers (a class of malware) are designed to partially or completely erase everything on the victim’s machine, typically used in targeted, politically-motivated attacks in support of the agenda of a nation state.
However, other attacks, notably cryptomining, is noticeably non-destructive. Indeed, with cryptomining, instead of destroying the content of a computer, the criminals want the target machine running as constantly and efficiently as possible. Because the faster and longer a compromised machine runs, the more money the criminals make.
While not all cryptomining is criminal in nature, the term often refers to a relatively new type of attack that has gained momentum and popularity as a result of its success. There’s a Darwinian selection process when it comes to cyberattacks – if they succeed, they’ll grow and evolve; if they don’t, they’ll die.
The Emergence of Criminal Cryptomining
The concept of cryptomining is new because what is being mined, cryptocurrency, is also relatively new. There is no cryptomining (criminal or legal) without cryptocurrency. And as these new currencies gained popularity (there are now over 1,600 cryptocurrencies), criminals started to figure out how to steal them, both coins that have already been mined, and coins that are yet to be mined.
Each cryptocurrency has a choice of mining algorithm that has different hardware requirements and dependencies. Some, like the most well-known currency Bitcoin, require customized hardware, but other currencies can be effectively mined on a normal computer. For example, Monero can be mined by anyone on any machine. But they all require a lot of processing power. Enter criminals and their schemes for illegal cryptomining….
Criminal Techniques Used to Mine Cryptocurrencies
Cryptocurrency mining (or cryptomining) is a legitimate activity, when done legally of course. Naturally, criminals have found a way to make others do the work while they reap the rewards. The ability to mine some cryptocurrencies on off-the-shelf hardware has opened the door for cybercrime to create threats that take over systems for their own benefit, even going so far as to create botnets of cryptomining zombies.
In the criminal context, cryptomining is the unauthorized use of computing resources to mine cryptocurrency. The criminal installs a cryptomining payload onto a victim’s computer which turns it into a cryptominer, often leaving very little processing capacity for the user while diverting all mined cryptocurrency to the criminal.
This can consume as much as 100% of the CPU resources, making the attack rather noticeable, so criminals have used “throttling” to specify how much CPU capacity to use, reducing the impact on the browser and therefore making it less noticeable to the site visitor. With or without throttling, when the visitor leaves the webpage, the browser returns to normal, so the criminal is mining cryptocurrency only as long as the user keeps the infected webpage open.
The Latest, Most Popular Attack Vector
In 2018, cryptomining surpassed ransomware – the attack of preference for much of 2017 – for two important reasons:
There are cryptocurrencies that can be mined successfully on standard computers, as opposed to the highly specialized computers needed to mine Bitcoin and others. And some currencies have strong anonymity features which means that illicitly gained coins cannot be identified and blocked or dropped.
If the victim of a ransomware attack does nothing, the criminal makes no money. And while there is very little that a cryptomining victim has to do in order for the criminal to make money – only click a malicious link or visit a compromised website – with ransomware, there are quite a few steps the victim has to work through in order to make the ransom payment (with a cryptocurrency). If the victim of cryptomining does nothing, the criminal still makes money. It’s basically the path of least resistance to earn money — or rather, to create money.
Limitations and What Lies Ahead for Cryptomining
There are limitations to cryptomining – otherwise we certainly would have seen an even larger explosion of these attacks. Primarily, it is limited by the computational power of the computer being used: more computing power equals faster mining. But instead of just using a more powerful computer, criminals decided to use yours and mine. After all, the bigger the botnet that they can set to mining on their behalf, the more cryptocurrency they can mine, in a shorter period of time.
About Andy Norton
Andy Norton is the director of threat intelligence at Lastline. He has been involved in cybersecurity best practices for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye.