Is ransomware dead?
Blog by Eward Driehuis, Chief Research Officer
In early 2018, we observed cryptocurrency mining incidents taking over from ransomware incidents. Let‘s dive into the numbers, interpret them, and add some historical context.
Historically, cybercrime had the widest and deepest impact on average technology users. Many people know someone who has been defrauded, or they have been victims themselves. Although the scales are tipping as nation state threats and espionage are on the rise, for many, cybercrime remains the biggest risk.
When investigating cybercrime, most research conducted is on the technical side: malware, DNS names, indicators of compromise and Tactics, Techniques and Procedures (TTPs). Paradoxically, for criminals, the most challenging part of their work has always been laundering the money.
Money laundering evolution can be classified into roughly three phases:
The last phase has opened new doors for criminals and they now actively look for new ways of making money through stealing electronic currency.
Although in existence since 1989, Crypto ransomware (ominously referred to as the AIDS virus), has been commoditized by a gang of banking fraudsters running GameOver ZeuS. In 2013 their technical lead created CryptoLocker. Run from their existing fraud infrastructure, they infected around half a million victims. Of those victims only a fraction paid, earning them an estimated $2 million on top of their fraud revenue (which was much, much greater). Dozens of copycat attacks followed targeting random devices through botnets however didn’t lead to large earnings for criminals. Unfortunately it remains easy and cheap to deploy ransomware. During the last two years we’ve seen ransomware used in more bespoke scenarios: criminals hack corporate networks, destroy backups and then ransom files for larger amounts.
Bitcoin and other coins are created on blockchain. It relies on a peer to peer network to maintain integrity and it gives (random) awards to those investing their computation power in the network.
The power is needed to make the integrity calculations, the random reward is a (part of a) coin. To increase chances of finding a coin, mining pools exist. The reward is split over the nodes participating in the pool.
Bitcoin was the first and the most widely adopted electronic currency. There is a maximum number of bitcoins that can be mined, and it gets increasingly hard to find one.
Power need increases exponentially. That’s why criminals, in the mid 2010’s looked at other coins to mine. Litecoin was easier on the CPU but was never a big money maker. Monero is today’s coin of criminal choice. Partly because is easier to mine, partly because it’s less traceable. This makes it more suitable for money laundering.
There’s another way to earn bitcoins: mining them. Mining is the process of investing computing power in the network for which random rewards are then extended. Criminals have dabbled in this process for some time, quickly discovering however that bitcoin is literally too difficult to mine, so they have looked for other coins. In previous years they occasionally mined for Litecoin, while today’s coin of choice is monero. Monero is less traceable than other coins and so better serves money laundering purposes. SecureLink Cyber Defense Centers identified roughly three types of mining, in increasing shades of grey:
Insider mining: The system administrator managing a network of several hundred PCs in an office may deploy miners on them. Provided they only run at night, the important work you do during the day won’t be disrupted.
Mining botnets: Criminals repurpose their botnets to leverage CPU power and send the results to a mining pool.
SecureLink Cyber Defense Centers have observed a significant increase in both ransomware and coin mining. The types of mining referred to above are all increasing, however the malware variant is of course the most deliberately criminal. Mining grew more difficult in the first half of 2018. In June 2018, suddenly coin mining activity halted with ransomware becoming the largest attack type in July 2018. From July 2018 we’ve seen ransomware increase, correlating with the release of a new version of Gandcrab. From there on we’ve seen a ransomware increase, correlating to the release of a new version of Gandcrab.
It makes sense that coin mining became popular. Mining was a different and a far easier way to steal electronic currency than ransomware. Looking at mining from a ROI perspective, ransomware has never quite been the money maker the criminals had hoped for. A number of process flaws lie at the heart of its failure:
For these reasons, only one in a hundred victims paid in early ransomware attacks. This led to the next issue: the remaining victims needed to deal with data loss or recovery costs. This resulted in a lot of collateral damage for a very modest return making attacks riskier as law enforcement and researchers began actively tracking perpetrators.
Check out our insights and trending page! Only hot topics concerning cybersecurity.
Coin mining on the other hand doesn’t require interaction with victims or payment. The coins are added to the pool using an automated process, where criminals retrieve them. As far as process goes, this is much easier for criminals. The process not being destructive means victims see it as a lower risk, and so do law enforcement, researchers and boards of directors.
So why then the sudden decline in coin mining and increase of ransomware in June 2018? The answer is subject to interpretation. There may have been events outside of our visibility, but if we disregard this, there might be other reasons:
Electronic currency, and certainly Monero, is a fantastic tool for criminals. Pursuing it is only natural for criminals (rookie or veteran) and they’re continually looking for the easiest way to do so. While mass ransomware automates many of the steps, the process remains cumbersome and flawed. SecureLink sees the future of ransomware in bespoke efforts: penetrating corporate networks, destroying back-ups and then ransoming for large amounts.
Is coin mining the silver bullet for criminals who want Monero? The process is automated and easy, the tools are automated and easy, no interaction is required, and every infection yields results. The pickings remain slim however. In order to make any real money, criminals need tremendous volumes, hundreds of thousands of infections. That ups the ante but also the risk.
Mining might be interesting for rookie criminals, but for the high rollers bespoke ransomware attacks and other extortion schemes remain of far greater interest. The increase in these bespoke ransomware attacks destroying back-ups is a concerning development.
With these attack types on the rise, we see that traditional ransomware and cryptomining will remain a nuisance and also an enticing entry-level attack type for criminals.