Thanks to the ongoing cryptocurrency craze, security experts have witnessed an explosion in cyber attacks centered on siphoning away people’s computing power to generate virtual currencies.
In recent months, the assaults have been targeting servers and Windows PCs for businesses and consumers. But the attacks may have an upside: some hackers appear to be shelving their ransomware schemes in favor of cryptocurrency mining.
“We definitely saw a significant decrease in a lot of ransomware being used in the second half of last year,” said Adam Kujawa, a director of malware intelligence at the security firm Malwarebytes. “There’s been a huge shift in tactics.”
Ransomware vs. Mining
A big reason for the change comes down to economics; for cybercriminals, mining cryptocurrency can potentially generate more cash than infecting machines with ransomware.
Security researchers at Cisco Talos have been tracking several lucrative mining-based malware attacks. By secretly hijacking hundreds, and possibly thousands of machines, the hackers have been able to harness all that computing power to mine a cryptocurrency known as Monero, which is now worth between $200 to $300 a coin.
A single day of mining may only amount to $500. But what about a whole year? Several of these attacks have already amassed enough computing power to mine around $200,000 in Monero, according to Cisco Talos. (Other security firms have uncovered campaigns that can raise millions per year.)
Contrast that with ransomware attacks, which involve infecting a computer, encrypting all the data inside, and then threatening to delete it unless the victim pays up. A successful attack can demand anywhere from $1,000 to 10 times that amount, or even more. But the scheme only works if the victim chooses to give in.
“It’s a cost benefit analysis for them (the hackers),” said Nick Biasini, a researcher with Cisco Talos.
To be sure, ransomware attacks are still popular in the cybercrime world; hackers continue to prey on hospital, school, and government computers. But organizations have also smartened up and bolstered their systems against such attacks with better security software or backups, giving hackers fewer targets to hit, Biasini said.
The other problem is that ransomware can be noisy and draw the attention of law enforcement or even world governments, like the WannaCry ransomware outbreak did last year. In comparison, a mining attack “is almost the polar opposite,” Biasini said. “This is designed to run silently in the background, slowly generating revenue, as opposed to a one-time lump sum of money,” he said.
Hackers appear to be dropping mining malware onto PCs and servers, Biasini said, but another popular tactic is to hijack a website and include a cryptocurrency miner in the code. If you visit these sites, the miner will secretly run over your browser and steal your PC’s computing power.
What does this mean for victims? Expect your PC’s fan to kick into high gear. All that mining can drag down your computer’s performance, and trigger an uptick in your electric bill. It’s certainly annoying and prolonged mining can degrade your machine’s hardware. But compared with a ransomware infection—which can hold your files hostage and delete them away—the mining has an upside: it’s far less destructive.
The Lesser of Two Evils?
“You’re leeching instead of stabbing,” said Chris Vickery, director of cyber risk research at the security firm UpGuard. “You’re sucking a little bit of blood instead of bleeding them dry.”
Ironically, the mining attacks may be an unconventional antidote to the ransomware threat. Earlier this week, Vickery tweeted the security community should “spread word” to malware writers over the merits of adopting mining-based attacks.
“I’m not saying the hacking should be taking place,” he said. “But it’s kind of a good thing that there will be less harm done overall.”
That doesn’t mean PC owners should tolerate the mining. No one, especially businesses, want to see a drain on their computing resources. But hackers who have successfully infected a computer with a miner usually have the capability to install other malicious code on to the system, including ransomware.
“You can’t discount any malware,” said Malwarebyte’s Adam Kujawa. “A lot of times you will have one primary infection, and they may keep adding more.”
Other experts say cybercriminals aren’t necessarily picking one scheme over another; they can go with both. Or in other words: the worst of both worlds.
“Cryptocurrency mining is by all means the current weapon of choice for numerous threat actors,” Maya Horowitz, threat intelligence group manager at Check Point, said in an email. “Nevertheless, we do not see a decrease in ransomware attacks.”