MORITZ PUTZHAMMER
04 April 2022 • 9 min read
You know that cryptocurrencies have exploded in popularity when even mainstream media outlets like The New York Times declare that “Everyone has Crypto FOMO.” But as more and more newbies enter the space, especially now that crypto markets are surging once again, there are more and more opportunities for crypto scammers to attempt to steal people’s crypto using a variety of nefarious methods. As the website SecurityIntelligence asked recently, “Is anyone doing anything about the explosion in crypto crime?”
According to Cognyte's Cyber Threat Intelligence Research Group, for example, the number of organizations hit by ransomware grew by 100% in 2021. This malware requires the operations of the CPU, and it is gradually becoming a popular form of cyber attack.
The first step to protecting your crypto from this and other forms of malware is understanding how it works. But with all the various terminologies in the crypto space, it can be difficult to get a sense of the differences between malware, ransomware, cryptojacking, and criminal crypto mining, which is why we’ve put together this informative overview about the various forms of crypto malware and how to protect yourself from them.
Read on and learn how to keep your crypto safe!
According to Kaspersky, crypto malware is defined as a “type of ransomware that encrypts user’s files, and demands ransom. Sophisticated crypto malware uses advanced encryption methods so files could not be decrypted without a unique key.”
Depending on the type of crypto malware being deployed, the threat actor may be able to mine cryptocurrencies using someone else’s server or computer. It is also known as a silent threat that leverages the processing power of other user devices to gain payments. Once executed, crypto malware can run independently on the victim’s computer, and the attacker can continue to drain resources from the hacked device without paying the victim.
The history of crypto malware is really quite interesting. According to one site,
The first crypto malware, which mined dogecoins using the Harvard University’s Odyssey computer cluster, was discovered in 2014. That discovery was soon followed by a similar attack that same year, albeit to illegally mine bitcoins, using the National Science Foundation (NSF)’s supercomputers.
But crypto malware actually made headlines only from 2017 onward, as cybercriminals doubled their effort to hijack insufficiently secured computers, servers, and even browsers to fill their own cryptocurrency wallets. One particularly interesting attack involved former U.S. Federal Reserve employee Nicholas Berthaume who illicitly mined for bitcoins using his employer’s computers.
According to the same site, crypto malware grew 4,000% from 500,000 in 2017 to 4 million in 2018. And in the first half of 2020 alone, the five most commonly detected cryptomining malware families affecting corporate networks were XMRig, JSEcoin, WannaMine, RubyMiner, and NRSMiner.
Crypto malware and ransomware attacks can be quite similar. They are both designed to generate income for the attacker, but the method in which they operate differs significantly.
As mentioned above, a ransomware attack involves encrypting a victim’s files and demanding a ransom for those files. The ransomware attacker can sell the information to the dark web if the victim fails to make payments.
On the other hand, crypto malware can operate on a system unnoticed, benefitting the attacker as long as the malicious code remains undetected. A recent report found that Verblecon malware loader, for example, is being used in stealthy crypto mining attacks. According to the findings of the report, “The malware is Java-based and its polymorphic nature is what allows it to slip into compromised systems, in many cases undetected.”
Ransomware demands direct payment, and it is becoming the fastest-growing type of cybercrime today. As you would imagine, the impacts of ransomware are costly. In 2020, the global ransomware cost was about $20 million, a figure that only continues to increase.
If you’ve ever heard of carjacking, then you should be able to figure out what is meant by cryptojacking. Instead of stealing someone’s car, the crypto thief effectively steals someone else’s computer (or, more precisely, computing power) to mine crypto.
According to Investopedia, “Cryptojacking is a type of cyberattack in which a hacker co-opts a target's computing power to illegitimately mine cryptocurrency on the hacker's behalf. Cryptojacking can target individual consumers, massive institutions, and even industrial control systems.”
Most crypto blockchains allow anyone to mint new coins through the mining process. You’ll even see guides such as “How to Create a Solana Token in 5 Steps.” The process isn’t particularly difficult and it’s open to anyone, making it extremely accessible. Unfortunately, this has led to the distribution of crypto mining malware on computerized devices, which can mint new coins when executed, thus, leading to an increase in criminal crypto mining activities.
“You’re hijacking someone else’s machine, their processing power, the battery life and their memory to mine cryptocurrency,” explains Daniel Almendros, a cyber threat intelligence analyst at Digital Shadows. These new coins are deposited to the attacker's wallet while the victim bears all the mining costs such as electricity as well as wear and tear of the computer.
A recent report by SonicWall reveals that cryptojacking has been on an uptrend due to the growing demand for cryptocurrency. This surge in criminal crypto mining is a matter of economics, and it may continue to increase as cryptocurrency gains massive adoption.
Hence, it is necessary to know how to keep your crypto safe from crypto malware. First, though, let’s take a look at various types of crypto malware.
Crypto malware can take various forms and here are the most common types.
We’ve covered this already, but crypto ransomware is one of the most popular forms of malware. In extreme cases, it has been used by Russian hackers to demand $70 million in bitcoin from U.S. companies. This type of ransomware encrypts files on a computerized device, making those files inaccessible. In exchange for the decryption keys, the attacker demands a ransom from the victim. Crypto ransomware is very common today, and malicious files can spread through various means such as e-mails, ads, and downloads.
As the name implies, the locker ransomware locks the computer, preventing access to the files and applications on the computer. In addition, a lock-screen may display demanding a ransom to unlock the screen within a stipulated time.
A recent example is the “Ragnar Locker ransomware.” As The Register reports, “The Ragnar Locker ransomware gang has so far infected at least 52 critical infrastructure organizations in America across sectors including manufacturing, energy, financial services, government, and information technology.”
In this case, the attacker encrypts files and creates a duplicate of those files to blackmail the victim. The attacker can threaten to go public with the hacked data if the victim defaults in meeting their demands.
As one website has reported, in the wake of the infamous WannaCry and NotPetya ransomware campaigns over 2017, malicious actors have now changed their tactics.
Now, rather than just encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up, information can be leaked online or sold to the highest bidder. Suddenly, all those backups and data recovery plans became worthless.
It is worth noting that paying such ransom provides no guarantee that the data won’t be made public at some point, since the attacker still has the stolen data.
This involves anonymously hosting malware by a professional hacker, who then offers to rent access. The professional handles all aspects of the hacking process down to collecting the ransom in return for some changes.
As CrowdStrike explains, “Ransomware as a Service (RaaS) is a business model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. Think of ransomware as a service as a variation of software as a service (SaaS) business model.” Some common examples of RaaS include DarkSide, REvil, Dharma, and Lockbit.
There are three ways in which crypto jackers maliciously mine cryptos:
File-based cryptojacking is one of the most common methods in cryptojacking. Here, the attacker sends an email or a file that looks authentic to the victim.
When the victim downloads and executes the file(s), the malicious mining scripts start running in the background of the computer without the user’s knowledge. In fact, it’s so common that even academics have written research papers about it (“Unmasking File-Based Cryptojacking”).
Hackers can create malicious crypto-mining scripts on various web browsers while using IT infrastructure to mine cryptocurrencies. These scripts can be in the form of attractive ads or outdated plugins that can run in the background when downloaded to the computer.
However, according to an article on ZDNet, although browser-based cryptojacking spiked in 2020, a comeback is not expected. As they reported,
Most cybercrime groups who experimented with cryptojacking operations in the past usually dropped it weeks later, as they also discovered that browser-based cryptocurrency-mining was both a waste of their time and too noisy, drawing more attention to their respective operations than profits.
Consider yourself forewarned.
Cloud Cryptojacking involves searching the cloud files of an organization to code its API keys and access its services. Hackers can siphon the CPU resources to illicitly mine cryptocurrencies once these files are accessible.
Google was in the news recently, as Google Cloud has developed a cryptojacking solution to detect mining malware on virtual machines. As website Gadgets360 reported,
In a bid to safeguard crypto miners against security breaches, Google Cloud has developed a new solution called the Virtual Machine Threat Detection (VMTD). The tool will detect potential crypto mining malware attacks, also known as cryptojacking. This service from Google Cloud will also shield poorly configured accounts that are breached and used by hackers to mine cryptocurrencies.
Any additional measure of safety and security is usually a good thing.
As you can imagine, the impacts of crypto malware can be extremely costly both for individuals and businesses. One academic article, entitled “On the Economic Impact of Crypto-ransomware Attacks: The State of the Art on Enterprise Systems,” describes the extent of the problem:
According to Cybersecurity Ventures research in 2017, in every 40 s, a business falls prey to a ransomware attack and the rate is predicted to rise to 14 s by 2019. Business organizations have had to pay cybercriminals even up to $1 million in a single attack, while others have incurred losses in hundreds of millions of dollars.
In addition to ransom payments and increased wear in affected machines, crypto malware can have even broader consequences, as they can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations.
As the website Trend Micro warns, “Cryptocurrency-mining malware can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. And by turning these machines into zombies, cryptocurrency malware can even inadvertently make its victims part of the problem.”
So what can you do to protect yourself from the crypto malware attacks? While it’s impossible to protect against every threat, there are best practices that can greatly reduce your risks. These include:
Perhaps most importantly, you should do your own research. Crypto malware is constantly evolving, and there’s a wealth of information online about the latest threats. If you know what’s out there, then you can take the appropriate measures to protect yourself.
Mining cryptocurrency isn’t illegal. However, doing so with someone else’s devices without their consent is malicious. As the demand for cryptocurrency increases, hackers are on the lookout to profit from mining by spreading malicious files, and everyone needs to be on their guard in order to protect their devices, their networks, their information, and their assets.
We’ll give the last word to Trend Micro: “Ultimately, however, the security of internet-connected devices against cryptocurrency-mining malware isn’t just a burden for their users. Original design and equipment manufacturers also play vital roles in securing the ecosystems they run in.”
Combating crypto malware is a collective problem and it requires collective solutions.