Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place in Sydney, with a focus on the reduction of ransomware and the subsequent rise in cryptomining.
With these topics in mind, the conference looked into new security challenges facing organisations and governments, and the reality of online safety, for organisations and consumers alike.
“There’s a disconnect between the way users protect themselves in real life and how they protect themselves online. Consumers, employees, and managers all need to remember that what happens online can have real-life security repercussions,” says UNSW Cyber Canberra director Nigel Phair.
“Cautious people look both ways before the crossing the street so they don’t step in front of cars. Similarly, users need to double-check their activities online, think before they click, and exercise secure and responsible cybersafety methods.”
While traditional, mass-distributed, and mostly untargeted ransomware is on the decline, largely due to successful developments in cybersecurity procedures and products, many attackers have shifted to more effective strategies, like cryptojacking.
“Low-end hackers, or ‘script kiddies,’ have moved away from ransomware attacks that demand a payment in exchange for compromised data. This is because hackers experience a greater return by quietly infiltrating an organisation’s network, and discreetly mining cryptocurrencies using their victims’ computing and electrical power,” says ESET senior research fellow Nick FitzGerald.
“Cyptomining compromises aren’t obvious to organisations in the way ransomware events are. In fact, cryptomining attacks can continue for several days, weeks, or even months before being detected and disrupted. Plus, every machine successfully compromised by a cryptominer immediately starts earning the cybercriminal behind it something from the outset. This is a more attractive outcome than ransomware attacks, where only a small amount of victims usually pay up.”
FitzGerald says that ironically, the overall decline in ransomware attacks and increase in cryptomining might mean that enterprises are under increased threat if they do become victim of a ransomware attack. This is because despite the lower rates of ransomware attacks, remaining ransomware attacks tend to be developed and actioned by more focused, determined cybercriminals.
“An extreme form of this is cybercriminals who attack company networks via remote desktop protocol (RDP). If RDP access is only protected with a username and password, attackers can make mass, repeated attempts to guess these, particularly when there’s no rate-limiting mechanism in place to restrict multiple wrong-guesses,” says FitzGerald.
“This type of reformed, enterprise ransomware attack can be very effective, and compromise entire organisations’ networks. In 2018, a family of ransomware called SamSam compromised a range of healthcare and government entities, most successfully by brute-forcing RDP endpoints. Cybercriminals behind the attack demanded substantially larger ransom payments than those in run-of-the-mill ransomware attacks.”
In more everyday scenarios, successful cybercriminals can often gain access to restricted networks because employees unintentionally, and unknowingly, feed them pathways into the system.
“Hacker tricks like business email compromise (BEC) can see fake emails, disguised as legitimate ones from colleagues, fool people into making bogus payments,” says FitzGerald.
“Often, these emails appear to come from a manager’s account to their finance team, and request a large payment to a certain account, or inquire into confidential finance account or employee data details.”
According to FitzGerald, many cybercriminals behind BEC scams even have the ability to compromise corporate mail servers, or executives’ accounts on hosted services, so they can genuinely access, and send, emails directly from the targeted executives’ real business email.
“It’s important to avoid victim-blaming endpoint users. What matters is that users can identify red flags and suspicious activity, even in the seemingly mild form of an unusual email from a colleague,” says FitzGerald.
“Organisations need to improve their security training, and encourage employees to exercise the same level of caution online as they would in real life. However, organisations also need to improve their overall resilience, and implement strong rules to prevent ransomware or cryptomining attacks, for instance, ensuring payment requests are only authorised over the phone, or in-person. Organisations’ daily and business procedures need to significantly improve so they can recognise and resist increasingly sophisticated attacks.