Aspiring cyber criminals often start with “low risk, low yield” attacks, to ease in the trade. Ransomware has had this role for a few years. Many were impacted, as ransomware’s destructive side effect started tipping the criminal business model. The risk for criminals has increased. There’s a good chance ransomware will lose its place as “cybercrime 101”.
So what’s happened? Although crypto ransomware existed in 1989, modern ransomware started in 2013 as a side project of the GameOver ZeuS fraud group. Called cryptolocker, it got huge attention from the industry and press. The simple premise was:
- Infect PC
- Store bot identifier in C2; create unique, strong, private key
- Encrypt important files on victim device
- Accept BTC payments
- Immediately return private key to victim after payment
Step 5 has always been the most important. With ransomware you want good word of mouth, you want your victims to say: “wow, you can really trust these criminals”. Others take notice, start paying, you make some money. The earnings were never as big as with the more risky crime types.
Criminals you can’t trust
Unfortunately, in 2017 the high profile ransomware attacks, specifically #Wannacry and #Notpetya, forgot the importance of rule 5. Payments lagged after reports that no one got their files back. The word started to spread: “hey, these are some pretty untrustworthy criminals.” Researchers found that #Wannacry didn’t even have the necessary code to facilitate the process. The criminals couldn’t return your files even if they wanted to. #Notpetya had a manual, broken process for returning files. An e-mail address was quickly taken down, leaving the criminals unable to return a key. (Almost) no-one got their files back. Untrustworthy bunch.
Later, of course, this was placed into the perspective of nation state motives: they weren’t after the money. They just wanted to destroy. Most now believe the malware was used as a weapon. Public opinion shifted. We can’t trust criminals anymore. They destroy our stuff and put hospital patients in danger. They are nasty people. We’re not getting our files back. Law enforcement went after them. The risk for criminals increased. Their yields decreased. Ransomware is becoming deprecated. Today, the majority of malware we spot in the wild is still ransomware, but that might change.
Crypto currency mining
There’s another attack type that allows you to earn BTC or Monero, and this one doesn’t require you to interact with your victims. Crypto currency mining has been around for some time in the DIY space, and criminals are taking notice. The premise is to use victims computing power to do the billions of calculations needed to find new electronic currency, a process called mining.
From our CDC’s, we see three attack types on the rise:
- Traditional attacks using existing botnet infrastructures. The payload is mining BTC, lightcoin, or recently Monero. The latter seems to be a great candidate for becoming the criminals #1 choice, as Monero’s transactions are way less traceable than, say, bitcoin. Which is great for a criminal’s legal risk.
- Bespoke attacks, executed by criminals, manually or semi automated, building large mining infrastructures in corporates.
It might seem crypto currency mining is essentially stealing electricity. From a victim perspective, this kind of attack is way more “friendly”, since it doesn’t destroy or steal data. It aligns with the “low risk, low yield” approach of starting cybercriminals. It’s plausible to predict mining will replace ransomware as an entry level attack approach.
Lulled in a false sense of security
This might lead to an interesting side effect. Ransomware, for all of it’s bad characteristics, motivated board room executives to invest in their defenses. When I talk to an average budget holder, “GDPR and ransomware” are the top two drivers. If the attack incentive is replaced with a more victim friendly one, some could be lulled in a false sense of security. “It cost us some extra operational expenses, but at least our data wasn’t compromised.” It might become something to be considered an IT problem rather than a board issue. We might go a few steps back in time.
For now, we’ll need to wait and see. Apart from the extra CPU cycles the #meltdown patches require, coin mining attacks might be another hit on your processing power, and we mustn’t be fooled to think it’s relatively benign.
Will ransomware disappear? Ransomware might be further weaponized for geo political purposes. But there’s a criminal use too, as attackers tailor bespoke extortion campaigns to enterprises. Already there’s reports of ransomware targeting back-up systems, a glimpse in a future of focused, disruptive ransomware campaigns.
For young ambitious hackers thinking of becoming criminals, Monero mining is looking to be the best opportunity.
- FBI botnet takedown – https://www.fbi.gov/news/stories/gameover-zeus-botnet-disrupted
- FBI 2016 IC3 report – https://pdf.ic3.gov/2016_IC3Report.pdf
- US declares North Korea the culprit behind devastating WannaCry ransomware attack – The Verge
- Cryptocurrency mining: victimless crime? – https://securelink.net/resources/trending/crypto-currency-mining-attacks-a-victimless-crime/
- Ransomware will target backups – https://www.darkreading.com/endpoint/ransomware-will-target-backups-4-ways-to-protect-your-data/a/d-id/1330029
- What is RubyMiner? New malware found targeting Windows and Linux servers to mine cryptocurrency