Crypto is Cybercrime’s Currency of Choice

While 2021, unfortunately, played host to a wide variety of threats, it’s unlikely any factor will feature more prominently than cryptocurrency in the years to come. Two types of attacks leverage cryptocurrency directly: extortion and cryptojacking.

Before cryptocurrency, cybercriminals had to work much for far lower pay. Turning stolen personal information or credit cards into a paycheck was a long and labor-intensive process. Often, it involved buying and selling goods, shady forums, and hiring questionable characters to assist with various aspects of the process.

Much like regular entrepreneurs, cybercriminals and their market places identified these problems, innovated, and found better methods. These new methods were more profitable, less risky, and had cryptocurrency at their core.

Cryptojacking

Cryptojacking is the practice of using someone else’s computing resources to mine cryptocurrency. On the surface, it doesn’t appear to be particularly sinister– cryptomining might cause some performance issues, shorten the lifespan of computers, or increase cloud computing costs.

However, according to Artsiom Holub, Senior Security Analyst at Cisco Umbrella, cryptojacking is often just the most visible activity. It is common for cryptojacking malware to also steal credentials.

What at first glance appears to be a harmless miner might be a precursor to something far more harmful, like a ransomware attack. Holub and McBride also identify two key delivery methods for cryptojacking:

Browser-based: largely javascript-based, these miners are only active as long as a given website or browser tab remains open. The threat to the device and organization is minimal.
Software-based: these miners, for all intents and purposes, are installed on systems in the same ways malware gets installed and will persist and survive reboots using similar methods. By running as a dedicated process on a system, they can cause more damage and lead to other types of attacks.

Cryptocurrency-enabled Cyber Extortion

A few years ago, ransomware was entirely opportunistic and automated, targeting both people and companies. They’d encrypt files on the direct systems they’d get a foothold onto. They might also encrypt attached storage or adjacent file servers but would generally stop there. Ransoms would typically be in the hundreds or low thousands of US dollars (nearly always to be paid in cryptocurrency).

There has been a distinct shift in extortion strategies. Attackers now spend more time and effort extorting entire companies for a far greater payout, rather than randomly attacking individuals. The frequency of these attacks is increasing.

For the initial stage of the process, cybercriminals continue to use the opportunistic approach by searching for valid credentials, security flaws, or spraying phishing emails to millions of addresses. When one of these approaches succeeds, the criminals no longer automatically deploy ransomware.

Instead, the rest of the process resembles a penetration test – often down to the tools used (Cobalt Strike is common). The attackers explore the infected organization to determine if it’s worth attacking (ability to pay and likelihood of paying seem to be the key criteria). They then carefully gain access to the internal network and deploy ransomware throughout.

Only when everything is in place, do they kick off encrypting files and sending ransom notes.