Feature

Security alert: Hackers shift focus from ransomware to cryptojacking

Hackers have been increasingly moving towards cryptojacking attackshijacking computing resources and using that to mine cryptocurrency.

In May 2018, more than 2,000 computers at one of Aditya Birla Group's overseas subsidiary were reportedly targeted to mine a cryptocurrency named Monero. Experts say that Monero has become the currency of preference among cybercriminals for two reasons: one, its untraceable nature, and two, the potential to be mined using CPU power unlike Bitcoin. This has given hackers the incentive to hack into IT systems and steal their compute power to mine cryptocurrency without the knowledge of those enterprises.

Over the past one year, hackers have been increasingly moving towards executing cryptojacking attacks. The objective of cryptojacking attacks is to steal hardware and energy resources in order to mine cryptocurrency. To achieve this, hackers can remotely execute malicious code by either infecting computers or luring users on mining websites. The number of users who fell victim to such attacks increased from 1.8 million in 2016–2017 to 2.7 million in 2017–2018, according to Kaspersky.

 

“There has been a major increase in cryptomining attacks in recent months. Many cyber-criminals now favor this method of attack over ransomware and other form of cyber-attacks due to high value of cryptocurrencies. As with ransomware threats, cyber-criminals need to install malicious code on computers and instead of encrypting files, the code is used to mine cryptocurrency."

 

a

- Aditya Khullar, Technical Lead- Security at Paytm

Striking a comparison between these two categories of attacks, Kaspersky has reported that PC and mobile ransomware attacks on unique users dropped dramatically in 2017-2018 by almost 30% and 22.5% respectively. Another report by Symantec highlights an 8500 percent rise in detection of crypto-mining malware in 2017. Based on the number of cryptojacking detections, Symantec's report ranks India at second in the Asia Pacific and Japan region. 

“There has been a major increase in cryptomining attacks in recent months. Many cyber-criminals now favor this method of attack over ransomware and other forms because of the high value of cryptocurrencies. As with ransomware threats, cyber-criminals need to install malicious code on computers and now instead of encrypting files, the code is used to mine cryptocurrency," says Aditya Khullar, Technical Lead-Security at Paytm.

While the trend started by  targeting home users, it has now expanded to enterprise servers as this gives attackers access to a far bigger measure of computing resources compared to home users, resulting in the mining of more currency. Web servers can also be put to host malware to launch cryptomining scripts in client's browsers.

 

Over the last year, there has been an increase in awareness within the security community regarding ransomware. As a result, security vendors have ransomware detection capabilities in their products and end users have better backup strategies for recovery. This reduces the probability for hackers to earn using ransomware. Whereas now cryptojacking is giving a better return to hackers.

 

k

- Rajpreet Kaur, Senior Research Analyst, Gartner

Experts say that many times enterprises might not be even aware of such malware running on their server. If it goes undetected, the malware would keep running in the background to use computing power and electricity for the purpose of mining. This activity would impact the server hardware and may even lead to server failure. 

Why cryptojacking attacks surpass ransomware?
Experts say that ransomware attacks have now become less lucrative as cybersecurity vendors have introduced advanced anti-ransomware solutions. Also, businesses may not even choose to pay the ransom if they have backups of their data. 

"The reason for increase in cryptojacking attacks, which are assumed to surpass the number of ransomware attacks very soon, is the increase in awareness within the community around ransomware. As a result security vendors have ransomware detection capabilities in their product and end users have better backup strategies for recovery in case of a ransomware attack. This reduces the probability of a hacker to earn with a ransomware attack. Whereas cryptojacking has better chances of return on investments for a hacker as they use CPU power and resources of a machine to mine cryptocurrency, without having to demand a ransom from the user," explains Rajpreet Kaur, senior research analyst at Gartner.

Safeguarding against cryptojacking

Safeguards Against Cryptojacking

  • Be vigilant; watch out for abnormal slowdowns in the IT infrastructure.
  • Regularly update and patch endpoint solutions.
  • Make sure your security vendors have signatures and detection capabilities enabled for crypto jacking malware.
  • In case you experience unusually high CPU consumption, disconnect the machine and scan it for any suspected activity.
  • Block crypto-mining on enterprise networks. Disrupt the process of joining and communicating with the mining pool. Block the addresses and domains used for joining public mining pools.

IT infrastructure affected by cryptojacking code tends to abnormally slow down, and this is one of the first signs that security professionals must watch out for. Experts say that preventative tactic is the best as that would help mitigate the expenses of such attacks. Therefore, apart from being vigilant about the system performance, it is crucial that end point solutions are regularly updated and patched. 

"Businesses need to understand that cyptojacking just utilizes another piece of malware. And like any other malware they exploit the passwords, privileges and vulnerabilities of a machine. So, they need to update their anti-viruses and anti-malware solutions and make sure their security vendors have signatures and detection capabilities enabled for crypto jacking malwares. In case they experience slow machines with unusually high CPU consumption, enterprises should disconnect the machine and scan it for any suspected activity," says Kaur.

According to Aditya Khullar of Paytm, enterprises are recommended to block crypto-mining on their network. This can be done by disrupting the process of joining and communicating with the mining pool. Alternatively, one can block the addresses and domains used for joining public mining pools.