Increased security measures and awareness are driving cybercriminals to change their techniques in search of a better return on investment, ditching ransomware and malware-based attacks for cryptojacking attacks, according to a new study by IBM.
Malicious coin-mining or cryptojacking is the act of installing a cryptocurrency miner on the victim’s endpoint without their knowing it, thus enslaving their device to slowly gather coins for the attacker. This operation taxes the device’s CPU/GPU, is costly in terms of electric power, and can cause damage to devices as they overheat.
According to the annual 2019 IBM X-Force Threat Intelligence Index, the number of cryptojacking attacks nearly doubled those of ransomware attacks in 2018. With the price of cryptocurrencies like Bitcoin hitting a high of nearly US$20,000 going into 2018, lower-risk/lower-effort attacks secretly using a victim’s computing power were seen as more profitable.
Cyptojacking has been on the rise in the past two years, and IBM expects to see it continue to affect companies in 2019 as well.
“If we look at the drop in the use of malware, the shift away from ransomware, and the rise of targeted campaigns, all these trends tell us that return-on-investment is a real motivating factor for cybercriminals,” said Wendi Whitmore, director of IBM X-Force Threat Intelligence.
“We see that efforts to disrupt adversaries and make systems harder to infiltrate are working. While 11.7 billion records were leaked or stolen over the last three years, abusing Personally Identifiable Information (PII) requires more knowledge and resources and attackers are exploring new illicit profit models to increase their return on investment.
“One of the hottest commodities is computing power tied to the emergence of cryptocurrencies. This has led to corporate networks and consumer devices being secretly highjacked to mine for these digital currencies.”
The Threat Intelligence Index found that cybercriminals are developing new various tools and tactics to infect the hardware of both corporate servers and individual users by spreading cryptojacking malware to do the work for them. Additionally, attackers are increasing the sophistication of obfuscation capabilities for coin-mining malware, giving them the ability to infect more devices and web resources to collect coins over time.
With the growing proliferation of cryptocurrencies and digital tokens in many countries — and especially in developing economies —, threat actors in Eastern Europe and North Korea in particular have taken notice of the profitability of coin-mining malware.
Facing continued international sanctions over its nuclear program, North Korea continued to focus on cryptocurrency mining in 2018 as part of its revenue generation tactics. Early in 2018, a North Korean university was seen mining the privacy-conscious cryptocurrency, Monero.
While North Korea may continue its foray into cryptomining, most of its activities involve the direct compromises of cryptocurrency exchange platforms.
According to an October 2018 report from Group-IB, a North Korean hacking group nicknamed the Lazarus Group managed to hack five cryptocurrency exchanges in 2017 and 2018, stealing roughly US$571 million worth of cryptocurrencies. In 2016, the group funneled US$81 million from the central bank of Bangladesh.