Cryptojacking: Cryptocurrency Mining Meets Malicious Intentions
With data center technology evolving relentlessly, IT professionals must grapple with a dynamic security landscape, as malicious actors leverage new capabilities to launch even more sophisticated cyberattacks, particularly in the ransomware genre.
One such example is the recent intersection of cryptocurrencies, data storage and cyberattacks. While ransomware has been a longstanding data theft strategy, a newer, more lucrative opportunity is beginning to emerge on the back of explosive growth in cryptocurrencies, such as Bitcoin, Ethereum, and Litecoin, and ongoing complexity in the data center: cryptocurrency mining. Of late, this phenomenon has been affecting organizations at an alarming rate; a recent report from the IBM X-Force Research revealed that cryptocurrency mining attacks aimed at enterprise networks jumped six fold between January and August 2017, and that number is only expected to increase in 2018.
Cryptocurrency mining has become an increasingly popular way to apply blockchain technology, which ensures consistency and durability within a transaction, and has become the basis for an evolved form of ransomware attack. Where hackers previously encrypted and stole data, many now prefer to mine cryptocurrency, aka “cryptojacking.” It’s simpler, harder to detect, and requires zero interactions with the other party in order to profit off of their dime.
In a typical ransomware scheme, hackers employ some type of spear phishing technique that, if successful, executes malware designed to root out data on that system or a shared storage drive for ransom. These attacks manifest as significant spikes in CPU and memory usage on the systems under attack, correlated with storage showing certain data sets doubling and shrinking back down in a relatively short amount of time. This corresponds to the dataset being encrypted for ransom and the original dataset being purged. Using decoupled backups and a correlated alert strategy that looks for the presence of several concurrent red flags (CPU and memory spiking, a dataset that is growing at too fast of a rate, and an equally quick decrease in dataset size), IT professionals have been able to guard against these types of traditional ransomware attacks.
But times are changing. The rapid pace of innovation has spawned greater complexity in the data center—from sprawl and distributed environments to operational siloes and monitoring blind spots—and cryptocurrency mining specifically exploits these challenges.
Instead of malware designed to capture and hold data for ransom, cryptocurrency mining schemes infect systems with bots coded to mine for bitcoins and create as many “zombie miners” as possible. Charges from increases in compute, energy, or cloud resources associated with “zombie miners” activated through a ransomware attack can often go unnoticed by disparate budget authorities until a collective audit is conducted. Similarly, on-premises sprawl and easier consumption of cloud services create a cover for ransomware attacks as they essentially become part of an organization’s “noise.” When a company pays for its cloud services, for example, sprawl creates an opportunity for cryptojacking bots to mine for cryptocurrency within the overall IT spend, unbeknownst to the company. Add in factors such as Spectre and Meltdown and the symptoms become more obfuscated.
The cherry on top? Cryptojacking uses the same fundamental infection strategy as ransomware, but introduces the added benefit, for the hacker, of cutting out the middleman—the organization under attack. With the ability to earn even one bitcoin, hackers can eliminate the significant pitfall inherent to ransomware attacks: the variable of choosing data worth ransoming. In ransomware schemes, a hacker has no insight into the data they’ve encrypted; it may be throwaway data that a company isn’t willing to pay ransom for, making the attack unsuccessful. Mining for cryptocurrencies eradicates this unknown and creates direct-to-hacker profitability. It’s all about ROI, even for hackers.
What To Do about It
While threats of ransomware and cryptocurrency mining are very real, there are several best practices IT professionals and storage administrators can leverage to help prevent and mitigate these types of cyberattacks.
Monitoring as a Discipline (MaaD): The concept of MaaD emphasizes proactive monitoring to track irregularities, in an attempt to identify and quell threats or risks before they become full-blown attacks. In the age of cryptocurrency mining, employing monitoring tools with alerts to flag unfamiliar IP addresses and detect traffic and connection anomalies is also crucial. Organizations can leverage monitoring software, resources, and toolsets to help identify and track compute memory and measure CPU utilization.
Remember 3, 2, 1: Although the cyberattack landscape is changing, traditional ransomware attacks still wreak havoc on organizations. IT leaders surveyed in a recent SolarWinds MSP study about the aftereffects of the WannaCry, Petya, and Vault 7 attacks reported that these attacks cost their companies an average of $2.07 million USD. However, if an organization becomes the target of a more traditional ransomware attack and a dataset becomes exposed, the pain of having to pay ransom can be alleviated by adopting the universal backup best practices—the concept of 3, 2, 1. This is the notion of backing up data and maintaining three copies of it. Storing backup copies of mission-critical data on two types of media (tape, network attached storage (NAS), storage area network (SAN), cloud storage, etc.) can help ensure that copies of data remain untouched during an attack. Additionally, one copy of the three should be kept offsite, disparate from the rest. That way, if an attack wipes production data and backup data, recovery originates from the offsite, disparate copy. Implementing the 3, 2, 1 backup strategy allows a company to minimize the damage radius from a ransomware attack.
Break down organizational silos: Disparate teams within a company that operate under separate budgets and maintain different standards can (unfortunately) allow cyberattacks to go unnoticed for extended periods of time. While MaaD provides a foundation for preventing and mitigating attacks, organizations that adopt a DevOps culture—a collaborative culture of continuous integration and delivery with a constant stream of communication—can help lower the risk of unobserved cyberattacks. Minimizing friction across departmental silos helps accelerate observability across updates, changes, deployments, and time-to-resolution for issues, all of which can help keep an organization safe from attacks. Finally, involving the whole team to embrace monitoring as a discipline is of paramount importance; using a monitoring dashboard to communicate and connect the context across the IT operations team, including DevOps and traditional teams, can help identify and prevent abnormalities.
End-user education: Some of the latest malware comes through a browser itself, masquerading as an extension to the browser. Hackers have been latching on to extensions that end-users can enable to block ads, offering and spoofing popular extensions that an end-user allows to run and execute, in turn compromising their system. IT professionals must ensure that end-users are educated in the risks associated with clicking on anything, and end-users must be vigilant to avoid unwittingly exposing their systems to attacks from malicious bots.
To avoid feeling the effects of ransomware attacks, organizations should employ monitoring as a discipline, and put into practice the 3, 2, 1 methodology: maintaining three copies of data, two backup copies on different media, and one copy kept offsite. Navigating the new cyberattack landscape with cryptojacking bots, however, requires its own set of strategies and tactics: employing monitoring tools, breaking down organizational silos, and educating end-users can prevent and mitigate devastating security attacks, and help maintain business continuity.
Kong Yang is head geek at SolarWinds.