Cryptojacking: Where Stealth Meets Payoff

Most of us are well aware of ransomware and how prolific of an attack vector it has become. Attacks such as SamSam, WannaCry, NotPetya, Petya and others have resulted in significant economic damage to their victims, either through ransom payments or the associated downtime. Ransomware can arrive in many forms including phishing email attachments, embedded in malicious website downloads (“drive-by downloading”), a web link that automatically downloads the ransomware when clicked or being infected through a standard hacking attack.

Executive Summary

Cryptojacking attacks come with no demands for ransom, but even though individuals and companies who are victims aren’t directly impacted by attempts to use their devices to mine virtual currencies, insurers should be mindful of possible risks. Here, One Beacon Technology’s Tusar Nandwana explains the attacks, the potential of insurable claims and offers advice to lower the possibility of being a victim.

Now imagine being on the receiving end of a similar attack—but there is no request for a ransom. In fact, you are likely unaware that you have been attacked by malware as there has been no data theft, damage to your computers or extortion. Instead, malware is uploaded to your system simply to steal your computing power to mine a variety of virtual currencies. These cyber attacks are known as “cryptojacking,” where cybercriminals steal computing power from unsuspecting sources so they can use it to mine difficult-to-track virtual currencies such as Monero and ZCash.

Why the Power Boost?

Cryptocurrency mining requires extensive computing power, which quickly becomes expensive. Unwilling to sit on the sidelines, cybercriminals have developed specific malware designed to steal computing resources from an unsuspecting user. The malware can be tailored to steal computing resources from any type of computing device including enterprise-based cloud buckets and web servers, PCs, laptops, mobile devices, industrial routers, and even IoT devices.

Cybercriminals will generally target enterprise-computing resources as they have significantly more computing power available to steal, but no one is immune. Such malware has also targeted consumer PCs, tablets and smartphones.

So, you may be wondering how to identify that cryptojacking has occurred. The illegal use of your computing resources may result in slower performance and sluggish applications or even in an overheated CPU. However, a good attacker will configure their malware so that it operates surreptitiously and remains undetected for as long as possible. The goal is to steal just enough computing resources while staying under the radar and undetected.

We are likely to see an increase in cryptojacking malware because it is easier, cheaper and more profitable compared to ransomware or other cybercrimes. If designed properly, 100 percent of the devices infected with cryptojacking malware will operate and mine for the hacker, compared to ransomware, where only a few victims will pay the ransom. Malware kits have been designed to be easy to implement, and some cost as little as $30. Further enticement is that criminal penalties are limited as there is no data theft or extortion. As a criminal act, cryptojacking has the greatest ROI, offering great reward at minimal risk.

Breaking and Entering

So, how do these stealth attacks happen?

Cybercriminals trick victims into loading or using cryptomining botnet malware using two methods: First, phishing tactics may be applied, where someone receives a fake email with a malicious link that, when clicked, loads the malware onto legitimate devices. Alternatively, a malware script is injected into a website or web ad, and once a victim visits the website, the script executes.

We are likely to see an increase in cryptojacking malware because it is easier, cheaper and more profitable compared to ransomware or other cybercrimes.

There are a variety of cryptomining malware families that include various products such as CoinHive, XMRig, Cronix, ZombieBoy, PowerGhost, RedisWannaMine, Underminer, Massminer, Smominru and others. Currently, CoinHive is the most prevalent. In fact, it was recently discovered targeting thousands of MikroTik routers that are favored by ISPs and large networks to inject itself into webpages served by the infected routers. Some of the cryptojacking products are designed to target enterprise networks, while others have sophisticated anti-detection capabilities or target-specific vulnerabilities, or even target and disable other cryptojacking malware they find on a device.

CoinHive script was also recently discovered in more than two dozen apps found in the Google Play Store where they were disguised as games, utilities and educational tools (e.g., SAT, GRE, LSAT prep course apps). More than 120,000 units were downloaded with the intent of illegally mining Monero cryptocurrency from users’ smartphones. Google has removed these offending apps but noted that more could be present. (Source: “Cryptojacking apps return to Google Play Market” by Pankaj Kohli, Sept. 24, 2018, Sophos News blog from security firm Sophos)

It has been estimated that CoinHive malware has about 75 percent of the cryptojacking market and generates about $250,000 in Monero each month. CoinHive collects about 30 percent of the gross revenue as a fee. (Source: “Study: CoinHive Earns Roughly $250,000 in Monero a Month,” coinwire.com, Aug. 20 2018, citing research by RWTH Aachen University in Germany)

Insurance Concerns

Unlike a data breach or a ransomware attack, which is likely to result in an insurance claim, there appears to be a lower potential of a claims scenario due to a cryptojacking event. While the extent of insurable harm from a cryptojacking event may be far less, the potential does exist. So, where would we see insurance concerns with cryptojacking?

If the cryptojacking malware is eventually found, there would be costs associated with the forensic investigation to determine if there has been any data leakage or other harm.
If the cryptojacking malware attacked an insured’s SaaS platform or hosting-type operations and caused delays or service degradations for its customers who, in turn, sustain financial harm or delay of service, this could be grounds for an errors and omissions claim. Such a scenario is a remote possibility but could occur.
Finally, if cryptojacking malware gains a foothold within an insured’s network, there is a greater potential that other, more nefarious malware would use the same attack vector or vulnerability to target the insured over time.

Playing Defense

To limit your potential of becoming a cryptojacking victim, consider the following:

As phishing is a primary entry vector, train and remind your staff on the perils of phishing attacks.
Be cognizant of the websites used by your staff. It is difficult to ascertain if a particular website is malicious, but use of web filtering software should help control some of the exposure.
Use standard endpoint protection products to potentially detect cryptojacking malware. Bear in mind that this malware is becoming sophisticated and some of it is designed to circumvent such controls.
Use tools to monitor CPU usage to detect anomalies or unusual CPU drain. Train IT staff to be on the lookout for complaints or network performance logs that suggest sluggish applications and systems, as these could be signs for a potential cryptojacking infection.

Cybercriminals are persistent and continually looking for vulnerabilities. Staying abreast of emerging cyber risk and mitigation tactics is simply playing smart defense.