WannaCry's more profitable successor: Cryptomining
While cryptomining poses little business interruption, a fluctuating cryptocurrency market could unleash a return to more traditional attack vectors.
The cybersecurity industry was put in a time warp when Boeing suffered a spate of WannaCry in March, almost a year after the ransomware's initial onslaught. While the worm's revival may have come as a shock to some, security researchers have been tracking WannaCry's path since its release.
"It's not like the situation has gotten any better," said Alexander Heid, chief research and development officer at SecurityScorecard, in an interview with CIO Dive.
WannaCry leveraged the EternalBlue exploit from the Shadow Brokers toolkit and targeted certain versions of Windows, according to Heid. But since the attack last year, different variants have emerged, such as weaponized versions of EternalBlue and EternalRed, which targets Linux systems.
Now attackers are taking the exploits used in WannaCry and bundling them with common system flaws, such as the Apache Struts and Oracle WebLogic vulnerabilities. Instead of unleashing ransomware, attackers are using exploit kits to capitalize on something far more profitable: cryptocurrency mining.
Ransomware's more profitable cousin: Cyrptomining
Cybercriminals are known for working smarter, not harder. Automating more attacks and going for easy targets allows for quick returns. Attackers, too, have followed cryptomania, but instead of going for trading and the short sale, they're turning to malicious mining.
"We've seen a clear exodus of attackers moving away from ransomware towards cryptomining, specifically toward cryptocurrencies that are ASIC resistant," said Craig Williams, senior threat researcher and global outreach manager at Cisco Talos.
ASICs are pieces of computer hardware designed to do tasks very quickly and are used in cryptocurrency mining. Mining cryptocurrencies from a home computer is not profitable, particularly because of the costs incurred to use specialized hardware. But cryptocurrencies like Monero were designed to be ASIC resistant, anonymous and untraceable, according to Williams.
Cryptomining offers a "steady payout of around a quarter per compromised machine, so if they have a large enough botnet, they're now making hundreds of thousands of dollars a year with no real risk to them."
Sr. threat researcher and global outreach manager at Cisco Talos
"So what we've seen is a clear shift of our adversaries moving toward cryptocurrencies like Monero because it has a regular payout," said Williams. "As long as the crypto market stays high, they're going to keep going for that regular payout because it's almost undetectable to the end user, which means the risk from law enforcement is nearly non existent."
Cryptomining has a bigger advantage: It poses little interruption to end users and largely goes unnoticed. Miners are designed to consume only a fraction of a system's total power, allowing it to remain undetected. User's can still operate their machines, largely without noticing malicious actors are siphoning small amounts of computing power.
The virus, called MassMiner, is a much quieter way of generating revenue, according to Heid, and some groups have made as much as $2.4 million targeting web servers and businesses.
"From a bad guy's standpoint, there's no risk," Williams said. "There's a steady payout of around a quarter per compromised machine, so if they have a large enough botnet, they're now making hundreds of thousands of dollars a year with no real risk to them."
By comparison, ransomware yields a small payout but a larger risk because attackers are impeding a victim's ability to operate. But those industries prone to paying ransoms — such as medical and manufacturing industries — will likely still see attacks because of the high percentage of payout.
While using viruses to mine seems inoffensive, risks are dormant while cryptocurrency is in a profitable, very expensive state. "The moment it's no longer profitable to mine cryptocurrencies and is instead more profitable to go back to traditional vectors of cybercrime such as DDoS attacks and so forth, then we're likely to see all these infections used for something more," said Heid.
WannaCry to NotPetya to … what's next?
Cybersecurity researchers and threat analysts are quick to admit their jobs become quite fun during a global cyber event. Finding the root of an incident and helping organizations quickly respond is akin to a cat and mouse game.
But at first glance, it would seem the industry is overdue for another global incident. "There's actually more malicious activity going on now and any time there's any type of global social unrest or big decisions as well, there's also a huge spike," said Heid.
While it wasn't as publicized as WannaCry and NotPetya, Olympic Destroyer targeted the Winter Olympics in February and was another successor to last year's attacks. Though it wasn't necessarily from the same group, it operated as "a piece of malware designed to destroy data," said Williams.
"There's actually more malicious activity going on now and any time there's any type of global social unrest or big decisions as well, there's also a huge spike."
Chief research and development officer at SecurityScorecard
What's curious about Olympic Destroyer and should give organizations pause is that it carried multiple false flags designed to blur attribution and confuse researchers.
From a business standpoint, what we've seen is "our adversaries are intentionally framing each other, very very openly and publicly to make software based attribution impossible," said Williams.
Nation state politics aside, malicious actors are going to looking at the underground economics of cybercrime and aim for the best ROI. While that is cryptomining right now, the market could turn once again.
For businesses, the only hope is to get better and faster at patching. Without that, companies will continue to suffer crippling and potentially avoidable cyberattacks.
Follow Naomi Eide on Twitter