Is ransomware dead?
Blog by Eward Driehuis, Chief Research Officer
In early 2018, we observed cryptocurrency mining incidents taking over from ransomware incidents. Let‘s dive into the numbers, interpret them, and add some historical context.
Historically, cybercrime had the widest and deepest impact on average technology users. Many people know someone who has been defrauded, or they have been victims themselves. Although the scales are tipping as nation state threats and espionage are on the rise, for many, cybercrime remains the biggest risk.
When investigating cybercrime, most research conducted is on the technical side: malware, DNS names, indicators of compromise and Tactics, Techniques and Procedures (TTPs). Paradoxically, for criminals, the most challenging part of their work has always been laundering the money.
Money laundry in relation to attack types
Money laundering evolution can be classified into roughly three phases:
- Known as the money mule phase, proceeds of criminal transactions are passed to money mules (intermediaries passing funds to the next account). Typically used for lower amounts, it requires a lot of effort to manage mules.
- For larger amounts, criminals build networks of financial insiders and shell companies. Here they’re able to move greater amounts of money at once.
- With electronic currencies like Bitcoin and Monero, laundering and transactions are taken care of in just one step.
The last phase has opened new doors for criminals and they now actively look for new ways of making money through stealing electronic currency.
Although in existence since 1989, Crypto ransomware (ominously referred to as the AIDS virus), has been commoditized by a gang of banking fraudsters running GameOver ZeuS. In 2013 their technical lead created CryptoLocker. Run from their existing fraud infrastructure, they infected around half a million victims. Of those victims only a fraction paid, earning them an estimated $2 million on top of their fraud revenue (which was much, much greater). Dozens of copycat attacks followed targeting random devices through botnets however didn’t lead to large earnings for criminals. Unfortunately it remains easy and cheap to deploy ransomware. During the last two years we’ve seen ransomware used in more bespoke scenarios: criminals hack corporate networks, destroy backups and then ransom files for larger amounts.
What is mining?
Bitcoin and other coins are created on blockchain. It relies on a peer to peer network to maintain integrity and it gives (random) awards to those investing their computation power in the network.
The power is needed to make the integrity calculations, the random reward is a (part of a) coin. To increase chances of finding a coin, mining pools exist. The reward is split over the nodes participating in the pool.
Bitcoin was the first and the most widely adopted electronic currency. There is a maximum number of bitcoins that can be mined, and it gets increasingly hard to find one.
Power need increases exponentially. That’s why criminals, in the mid 2010’s looked at other coins to mine. Litecoin was easier on the CPU but was never a big money maker. Monero is today’s coin of criminal choice. Partly because is easier to mine, partly because it’s less traceable. This makes it more suitable for money laundering.
There’s another way to earn bitcoins: mining them. Mining is the process of investing computing power in the network for which random rewards are then extended. Criminals have dabbled in this process for some time, quickly discovering however that bitcoin is literally too difficult to mine, so they have looked for other coins. In previous years they occasionally mined for Litecoin, while today’s coin of choice is monero. Monero is less traceable than other coins and so better serves money laundering purposes. SecureLink Cyber Defense Centers identified roughly three types of mining, in increasing shades of grey:
Insider mining: The system administrator managing a network of several hundred PCs in an office may deploy miners on them. Provided they only run at night, the important work you do during the day won’t be disrupted.
Mining botnets: Criminals repurpose their botnets to leverage CPU power and send the results to a mining pool.
SecureLink Cyber Defense Centers have observed a significant increase in both ransomware and coin mining. The types of mining referred to above are all increasing, however the malware variant is of course the most deliberately criminal. Mining grew more difficult in the first half of 2018. In June 2018, suddenly coin mining activity halted with ransomware becoming the largest attack type in July 2018. From July 2018 we’ve seen ransomware increase, correlating with the release of a new version of Gandcrab. From there on we’ve seen a ransomware increase, correlating to the release of a new version of Gandcrab.
Stats from the CDC
Ransomware versus cryptocurrency miner attacks in 2018
Explaining the trendlines
It makes sense that coin mining became popular. Mining was a different and a far easier way to steal electronic currency than ransomware. Looking at mining from a ROI perspective, ransomware has never quite been the money maker the criminals had hoped for. A number of process flaws lie at the heart of its failure:
- Many victims will not pay, accepting the damage of lost data.
- Many can recover and restore through back-ups and will therefore not pay.
- Initially there was no good enterprise model. The process was paying the same amount for every infected machine which doesn’t work in organisations; computers (the vulnerable machines) were simply reinstalled.
- Interaction (or automating interaction) with a victim is required and criminals can only return the keys if they get a unique identifier from the victim and match it to the appropriate key. This makes for a lot of work.
- Many victims may want to pay but find it difficult to buy and transfer electronic currency, especially vulnerable targets like elderly people. Whilst many wanted to pay, they simply couldn’t.
For these reasons, only one in a hundred victims paid in early ransomware attacks. This led to the next issue: the remaining victims needed to deal with data loss or recovery costs. This resulted in a lot of collateral damage for a very modest return making attacks riskier as law enforcement and researchers began actively tracking perpetrators.
Want to read more interesting content?
Check out our insights and trending page! Only hot topics concerning cybersecurity.
Coin mining on the other hand doesn’t require interaction with victims or payment. The coins are added to the pool using an automated process, where criminals retrieve them. As far as process goes, this is much easier for criminals. The process not being destructive means victims see it as a lower risk, and so do law enforcement, researchers and boards of directors.
So why then the sudden decline in coin mining and increase of ransomware in June 2018? The answer is subject to interpretation. There may have been events outside of our visibility, but if we disregard this, there might be other reasons:
- Electronic currency has devalued. In December 2017 a bitcoin cost $20,000, while in June 2018 it was around $8,000, and October 2018 saw a further decrease to just above $6,000. With the value and hype decreasing the ROI of mining cryptocurrency is equally declining. This may be discouraging criminals from mining.
- Browser mining is relatively easily blocked. After an introductory period, orgnisations have prevention techniques in place. While the number of attempts may be much higher the number of successful attempts is lower resulting is less browser mining.
- Ransomware was in the news quite a bit in 2018 which might have increased motivation to use it.
Electronic currency, and certainly Monero, is a fantastic tool for criminals. Pursuing it is only natural for criminals (rookie or veteran) and they’re continually looking for the easiest way to do so. While mass ransomware automates many of the steps, the process remains cumbersome and flawed. SecureLink sees the future of ransomware in bespoke efforts: penetrating corporate networks, destroying back-ups and then ransoming for large amounts.
Is coin mining the silver bullet for criminals who want Monero? The process is automated and easy, the tools are automated and easy, no interaction is required, and every infection yields results. The pickings remain slim however. In order to make any real money, criminals need tremendous volumes, hundreds of thousands of infections. That ups the ante but also the risk.
Mining might be interesting for rookie criminals, but for the high rollers bespoke ransomware attacks and other extortion schemes remain of far greater interest. The increase in these bespoke ransomware attacks destroying back-ups is a concerning development.
With these attack types on the rise, we see that traditional ransomware and cryptomining will remain a nuisance and also an enticing entry-level attack type for criminals.