Cryptojacking: the cyber ghost

Slow computer system? Hackers could be mining for cryptocurrency right under your company’s nose.

If there is one trend that characterises cyber crime, it’s the rapid evolution of new ways that cyber criminals find to target businesses and individuals. Last year, ransomware hit the headlines through the WannaCry and NotPetya attacks. In 2018, some cyber criminals have started to move away from very obvious and invasive ransomware attacks to a new, more stealthy cyber crime: cryptojacking. 

Instances of cryptojacking rose 8,500% in the final quarter of 2017, while also making up nearly a quarter (24%) of all online attacks in December 2017.

Instances of cryptojacking rose 8,500% in the final quarter of 2017, while also making up nearly a quarter (24%) of all online attacks in December 2017, according to the US cyber security firm Symantec. Although the initial threat might come from the same source as a typical ransomware attack – a phishing email or by luring unsuspecting users to use a compromised website – the crime is very different. Once a hacker has access to a compromised computer system, instead of downloading a ransomware payload to encrypt a victim's files, the cryptojacking attack will install ‘mining’ software. This sits in the background and uses spare processing power on the victim's machine or office server and quietly mines cryptocurrency for the hacker.  

More lucrative, less effort

Cryptojacking can be more lucrative and certainly involves less effort than ransomware, which often requires the hacker to interact with the victim, either to negotiate or assist them to pay a ransom in Bitcoin. With cryptojacking, once the mining malware is installed it can be left running for as long as the criminal wants or until the victim discovers the problem. “In other forms of hacking there is a real downside for the criminal in terms of the risks of having to deal directly with the victim, which could also lead to intervention from law enforcement,” says Tony Kriesel, Casualty Senior Claims Underwriter at Hiscox London Market. “But cryptojacking is very easy to deploy, with little expertise needed – kits are available cheaply on the dark web – and involves less obvious risk for the hacker.” 

With cryptojacking, once the mining malware is installed it can be left running for as long as the criminal wants or until the victim discovers the problem.

It’s a new threat that could, in time, supersede ransomware, says Matt Webb, Cyber Line Underwriter for Hiscox London Market. “With such a significant rise in cryptojacking, the challenge for every organisation is to recognise that they could have a problem but might well be unaware of it given cryptocurrency mining software is so difficult to discover.”

Hiscox has already seen cryptojacking claims from clients, including a PR company that noticed a problem with its emails but concluded the most likely cause was malicious activity. An IT forensics team, dispatched as part of the insurance response, investigated and confirmed the company’s IT systems had been infected with cryptojacking malware to mine for cryptocurrency. Another larger technology firm was also alerted to a possible problem after noticing an unusually high CPU (central processing unit) load on its web server. It also made a claim on its insurance, which paid for an IT security firm to remove the malware from its system and patch the vulnerability that allowed the original incursion.

Cryptojacking is very easy to deploy, with little expertise needed – kits are available cheaply on the dark web – and involves less obvious risk for the hacker.” 

Exposing security flaws

Cryptojacking alone doesn’t cost the victim in the way that ransomware or the theft of data may, says Kriesel. “The material impact of cryptojacking can be quite benign. No data is exfiltrated; no files are encrypted; no money is extorted; it’s just the processing power of a firm’s computer system that is used.” But the bigger and more worrying question businesses need to ask is how did the mining software get there and who put it there?

“Imagine you had been away on holiday,” says Winston Krone, Global Managing Director for cyber consultants Kivu Consulting, “and when you return home you find there are three strangers sleeping in your living room. As soon as you walk in they politely leave. They don’t appear to have taken anything or even left a mess, but how did they get in?” It’s that security flaw that could mean a firm is susceptible to other, more financially damaging cyber crimes, or indeed, have already fallen victim to an undetected theft, says Krone. IT forensic experts investigating the cryptojacking attack at the PR company also discovered that the hackers had accessed its systems and that personally identifiable information (PII) was potentially compromised. 

The material impact of cryptojacking can be quite benign. No data is exfiltrated; no files are encrypted; no money is extorted; it’s just the processing power of a firm’s computer system that is used.

Regulators may intervene

That’s a danger of cryptojacking that may not be lost on regulators, says Krone. “Some US regulators have already taken the position that if a company suffers a ransomware attack then there is a presumption that data has been accessed which could lead to mandatory notification. It is up to the company to prove otherwise. Cryptojacking could well [be seen in the same way by] regulators and end up costing businesses more in terms of customer notification and other regulatory costs [than a malware attack].”

The growth of cryptojacking means that businesses need to ensure their insurance policy wordings are broad enough to cover this threat, says Webb. “Businesses aren’t likely to suffer losses in terms of stolen data or extortion costs, but they will need IT forensics to remediate the problem and legal counsel to close the loop on the regulatory issue.”

The growth of cryptojacking means that businesses need to ensure their insurance policy wordings are broad enough to cover this threat.

Practise good cyber hygiene

Businesses need to practise effective cyber hygiene says Webb. “Alongside the standard advice regarding good password management and regularly updating software to ensure it is fully patched, organisations can also use server monitoring software to track the key metrics of servers such as processor, memory, network and disk usage.” In addition, businesses should ensure they have the best cyber insurance in place which is broad enough to cover the latest threats, while also adopting a thorough risk management approach, concludes Webb. 

All comments