Blue team, Endpoint/Device Security, Incident Response, Threat Management, NDR, Threat Intelligence, Threat Management, Threat Management, Ransomware

Cryptocurrency: Cybercrime’s New Favorite Tool

Bitcoin and Monero coin on wood background
Courtesy Quoteinspector.com

While 2021 will, unfortunately, play host to a wide variety of threats, it’s unlikely any factor will feature more prominently than cryptocurrency. Two types of attacks leverage cryptocurrency directly: extortion and cryptojacking.

Before cryptocurrency, cybercriminals worked a lot harder to get paid a lot less. Turning stolen personal information or credit cards into a paycheck was a long and labor-intensive process. Often, it involved buying and selling goods, shady forums, and hiring untrusted people to assist with parts of the process.

Much like legitimate markets, cybercrime identified these problems, innovated, and identified better methods. These new methods were more profitable, less risky, and had cryptocurrency at their center.

Cryptojacking

Cryptojacking is the act of using someone else’s computing resources to mine (generate) cryptocurrency. On the surface, it doesn’t seem terribly nefarious – cryptomining might cause some performance issues, reduce the life of systems a bit, or run up a cloud computing bill. Our friends at Cisco Umbrella tell a different story.

Artsiom Holub, Senior Security Analyst, and Austin McBride, Data Scientist, say that cryptojacking is often just the most visible activity. It is common for cryptojacking malware to also steal credentials. What initially seems like a benign miner, could be an early warning sign for something much more damaging, like a ransomware attack. Holub and McBride also identify two key delivery methods for cryptojacking:

  1. Browser-based: largely javascript-based, these miners are only active as long as a given website or browser tab remains open. The threat to the device and organization is minimal.
  2. Software-based: these miners, for all intents and purposes are installed on systems in the same ways malware gets installed and will persist and survive reboots using similar methods. By running as a dedicated process on a system, they can cause more damage and lead to other types of attacks.

Cryptocurrency-enabled Cyber Extortion

Only a few years ago, ransomware was entirely opportunistic and automated, going after individuals and businesses alike. They’d encrypt files on the direct systems they’d get a foothold onto. They might also encrypt attached storage or adjacent file servers but would generally stop there. Ransoms would typically be in the hundreds or low thousands of US dollars (nearly always to be paid in cryptocurrency).

There has been a distinct shift in extortion strategies. Instead of opportunistically targeting individuals attackers now spend more time and effort to extort entire companies at a time, for a much larger payoff. The frequency of these attacks is increasing.

Cybercriminals have kept the opportunistic approach for the first part of the process – searching for working credentials, common vulnerabilities or spraying phishing emails to millions of addresses. When one of these approaches succeeds, the criminals no longer automatically deploy ransomware.

Instead, the rest of the process resembles a penetration test – often down to the tools used (Cobalt Strike is common). The attackers explore the infected organization to determine if it’s worth attacking (ability to pay and likelihood of paying seem to be the key criteria). They then carefully gain access to the internal network and deploy ransomware throughout.

Only when everything is in place do they kick off the process of encrypting files and sending ransom notes.

The full Enterprise Security Weekly interview includes a lot more detail about Cryptojacking and the latest extortion scams! Watch it here or visit https://securityweekly.com/ciscoumbrella for more information.

Also check out our upcoming Webcast with Cisco Umbrella: Top 7 Ways to Evaluate a SASE Service

Register here: https://attendee.gotowebinar.com/register/8098001410769370637

Adrian Sanabria

Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the security industry, tell stories, and still sees the glass as half full.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.