The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
1. Introduction
ISACA, an international association focused on IT governance, has recently released its annual study "State of Cybersecurity." The study relates to the year 2018 and is based on feedback provided by 2,366 security leaders. It found that, while in the last year 62% of the respondents experienced ransomware attacks, only 45% of them experienced such attacks in 2018. The data indicate that ransomware attacks may be replaced by a relatively new cybersecurity threat, i.e., cryptocurrency mining malware. In comparison with other types of malware (including ransomware), this type of malicious programs does not aim to encrypt files without authorization, turn off computer systems, or delete important system files. The purpose of cryptocurrency mining malware is to use the computer power of the infected computers for mining cryptocurrencies. Since cryptocurrency mining malware does not have an obvious impact on the infected computers, the users of those computers may not detect it for a long time.
In this article, we examine the reasons for the decline of ransomware (Section 2) and the rise of cryptocurrency mining malware (Section 3). Finally, we provide concluding remarks (Section 4).
Hands-on threat intel training
2. The reasons for the decline of ransomware
After the WannaCry and NotPetya ransomware attacks in 2017, many companies implemented comprehensive ransomware strategies. 78% of the respondents of the study mentioned above adopted such strategies in 2018, whereas only 53% of the respondents in 2017 had such strategies. 2017 was officially declared "the year of ransomware" as a result of more than 90% increase of malware attacks that year.
After facing the strong anti-ransomware measures adopted by many organizations and the raised security awareness regarding ransomware, malware creators decided to focus their attention on new cybersecurity threats. It is worth mentioning that such threat cycles are a common occurrence in the field of cybersecurity. Similarly, to legitimate businesses, malware creators need to innovate to increase "the use of their products."
3. The rise of cryptocurrency mining malware
2017 was not only the year of ransomware but also the year of blockchain awareness. Apparently, fraudsters also became aware of the benefits of blockchain and might even have noticed that 2018 is likely to be the year of blockchain adoption. Therefore, they decided to concentrate their activities on a new cybersecurity threat, namely, cryptocurrency mining malware. To illustrate how this type of malware works, we will examine its most prominent representative, i.e., Dofoil (also known as Smoke Loader). Microsoft detected it on 6th of March 2018.
Dofoil infects computers by tricking the victims to open a Trojan that performs a process hollowing on explorer.exe. The term "process hollowing" refers to a technique for injecting code. It includes spawning a new instance of a legitimate process and replacing the legitimate code with malicious programs. More specifically, Dofoil targets c:windowssyswow64explorer.exe. The hollowed process is used for running a coin mining malware camouflaged as the legitimate Windows binary "wuauclt.exe." The coin mining malware can mine different currencies because it supports NiceHash. Microsoft analyzed a version of Dofoil which mines Electroneum coins.
To ensure that it is well hidden, Dofoil modifies the registry. The hollowed explorer.exe creates a copy of the malware in the Roaming AppData folder and, afterward, changes the name of the folder to ditereah.exe. Next, it modifies an existing registry key or creates a new one to refer to the newly created copy of the malware. In the version of the malware analyzed by Microsoft, Dofoil modified the OneDrive Run key.
It should be noted that Dofoil can connect to command and control (C&C) servers and listen to commands to download and install malware. The version of Dofoil examined by Microsoft used the decentralized Namecoin network infrastructure for C&C communications.
In the near future, we can expect an increase in the number of cryptocurrency mining malware applications. The reason is that this type of malware can secretly monetize computer resources, without blatantly manifesting itself. It just transforms the affected computer in a "golden mine" that mines cryptocurrencies until the user of the infected computer notices the malware. Many users may never notice the malware, thus becoming permanent miners.
In comparison with ransomware applications which use computer resources to spread themselves and botnets for rent which allow fraudsters to use computer resources to conduct cyber-attacks, cryptocurrency mining malware applications are less intrusive and, therefore, less detectable. However, the damages caused by cryptocurrency mining malware should not be underestimated. In January 2018, The
Financial Times announced that, in 2018, bitcoin operations may require more electricity than that used by Argentina (a country having a population of more than 43 million people). Considering that Bitcoin is just one of a large number of cryptocurrencies, we can conclude that a significant portion of world's electrical power will be spent for crypto operations.
Cryptocurrency mining malware applications, such as Dofoil and NotPetya, have the potential to cause a tremendous amount of energy expenditure which can otherwise can be used for legitimate purposes. Although the energy waste caused by cryptocurrency mining malware applications is unknown, it is likely to be significant since Microsoft found that Dofoil alone attempted to infect more than 400,000 computers within 12 hours. In addition to wasting energy, cryptocurrency mining malware applications may slow down computers and Internet connections.
4. Conclusions
This article has shown that we are currently witnessing a shift in the cybersecurity threats from ransomware to cryptocurrency mining malware applications. This trend is likely to continue as the blockchain market size is expected to grow from USD 411.5 million in 2017 to USD 7,683.7 million in 2022. The growth in the blockchain market will further increase the demand for computer resources, and hackers will attempt to benefit from the high demand by attempting to supply such resources with the aim to earn cryptocurrencies unlawfully.
References
1. Badkar, M., 'Bitcoin energy demand in 2018 could match Argentina – Morgan Stanley', Financial Times, 10 January 2018. Available at https://www.ft.com/content/93b22cb1-0346-38be-bebf-d2e676e19621.
2. 'Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign', 7 March 2018, Microsoft Secure. Available at https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/ .
3. 'Blockchain Market worth 7,683.7 Million USD by 2022', Markets and Markets, Press Release. Available at https://www.marketsandmarkets.com/PressReleases/blockchain-technology.asp.
4. Costlow, K., 'The Year of Ransomware: 2017 Recap and 2018 Predictions', STEATHbits, 20 November 2017. Available at https://blog.stealthbits.com/The-year-of-ransomware-market-trends.
5. "Cyberthreats Increasing But Shifting, With Ransomware Attacks Down 17 Percent", BusinessWire. Available at https://www.businesswire.com/news/home/20180604006438/en/Cyberthreats-Increasing-Shifting-Ransomware-Attacks-17-Percent.
6. Kumar, M., 'New Cryptocurrency Mining Malware Infected Over 500,000 PCs in Just Few Hours', The Hacker News, 8 March 2018.
7. Osena, M., 'Cryptocurrency-Mining Malware: 2018's New Menace?', TrendMicro Blog, 28
February 2018. Available at https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/.
8. Zago, M., '2017 Was the Year of Blockchain Awareness. 2018 Is the Year of Adoption', Medium, 13 January 2018. Available at https://medium.com/@matteozago/2017-was-the-year-of-blockchain-education-2018-is-the-year-of-adoption-bb862e0faae5
Hands-on threat intel training
Co-Author
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.
In this Series
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage