Ride the Lightning

The Decline of Ransomware and the Rise of Cryptocurrency Mining

July 5, 2018

What is happening to ransomware? As ZDNet posted, in 2017, high-profile incidents like the WannaCry and NotPetya ransomware were in the news all the time. Stories about Bad Rabbit, Locky and Cerber abounded.

Kaspersky Lab's latest Kaspersky Security Network report claims that ransomware as a whole is "rapidly vanishing" with a 30 percent decline in ransomware attacks between April 2017 and March 2018 compared with the same period the previous year. A recent threat report by McAfee Labs also suggests a drop in the detection of ransomware attacks — putting the decline at 32 percent.

A key factor behind the decline is the rise of cryptocurrency mining malware and low-level cyber criminals shifting their attention to 'cryptojacking' as a simpler, less risky means of illicitly making money.

These cryptojacking attacks involve attackers infecting a PC with malware which secretly uses the processing power to mine for cryptocurrency — usually the relatively simple-to-mine Monero — which is deposited into their own wallet. Unlike ransomware, it's stealthy and so long as the infection isn't discovered, it will continue to deliver the attacker a steady stream of income. The subtle nature of the attack has boosted the popularity of cryptojacking throughout 2018.

Don't feel safe just yet. Ransomware still remains a threat — as evidenced by a March attack on the City of Atlanta, which encrypted data and led to the shutdown of a large number of online services. The city didn't pay the ransom, but the impact of the attack is projected to cost Atlanta at least $2.6 million.

The Atlanta attack came as a result of SamSam, a family of ransomware which has been in operation since 2015. Potentially vulnerable targets were specially sought out in order to ensure that the ransomware could be set to spread across the network once the hackers activate the attack.

Victims often pay tens of thousands of dollars to retrieve their files: in January a hospital paid out a $55,000 bitcoin ransom following a SamSam infection — despite having backups available, because paying up was the quickest way to get systems back online. Targeting the ransomware has proven quite profitable.

Another successful ransomware variation is GandCrab which first appeared in January and has received updates ever since. "GandCrab is using agile technology because they're using techniques which are like the software industry. They're patching their ransomware on an almost daily basis, they fix bugs as they go along — it's a really nice approach," Yaniv Balmas, malware research team leader at Check Point, told ZDNet.

The new kid on the block is DataKeeper, which surfaced in February. Those behind it are serious enough that they monitor research blogs which mention it. "They're applying a lot of technical best practice, they're an active adversary. We see the DataKeeper guys looking at security research blogs and releases of detection — and soon as something is released, a very short time later they're changing and updating their stuff," James Lyne, global research advisor at Sophos, told ZDNet.

Ransomware may have lost some ground, but it remains profitable for criminal and a headache for victims who can't afford to be out of business. And it takes longer to realize profits from cryptocurrency mining. But you do fly under the radar, unlike ransomware, so it is directionally where many folks are going.

Behind much of the potency of ransomware is the EternalBlue SMB vulnerability which allowed WannaCry, NotPetya and other ransomware attacks to self-perpetuate around networks. Unpatched systems abound, and they are still vulnerable.

Ransomware remains a threat – don't forget that while cryptocurrency mining is now grabbing all the headlines!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson