sb-as logo
Story image

Ransomware’s decline equals cryptomining’s rise

19 Mar 2019

ESET’s Security Days Conference recently took place in Sydney, with a focus on the reduction of ransomware and the subsequent rise in cryptomining.

With these topics in mind, the conference looked into new security challenges facing organisations and governments, and the reality of online safety, for organisations and consumers alike. 

“There’s a disconnect between the way users protect themselves in real life and how they protect themselves online. Consumers, employees, and managers all need to remember that what happens online can have real-life security repercussions,” says UNSW Cyber Canberra director Nigel Phair.
“Cautious people look both ways before the crossing the street so they don’t step in front of cars. Similarly, users need to double-check their activities online, think before they click, and exercise secure and responsible cybersafety methods.”

While traditional, mass-distributed, and mostly untargeted ransomware is on the decline, largely due to successful developments in cybersecurity procedures and products, many attackers have shifted to more effective strategies, like cryptojacking. 

“Low-end hackers, or ‘script kiddies,’ have moved away from ransomware attacks that demand a payment in exchange for compromised data. This is because hackers experience a greater return by quietly infiltrating an organisation’s network, and discreetly mining cryptocurrencies using their victims’ computing and electrical power,” says ESET senior research fellow Nick FitzGerald.

“Cyptomining compromises aren’t obvious to organisations in the way ransomware events are. In fact, cryptomining attacks can continue for several days, weeks, or even months before being detected and disrupted. Plus, every machine successfully compromised by a cryptominer immediately starts earning the cybercriminal behind it something from the outset. This is a more attractive outcome than ransomware attacks, where only a small amount of victims usually pay up.”

FitzGerald says that ironically, the overall decline in ransomware attacks and increase in cryptomining might mean that enterprises are under increased threat if they do become victim of a ransomware attack. This is because despite the lower rates of ransomware attacks, remaining ransomware attacks tend to be developed and actioned by more focused, determined cybercriminals.

“An extreme form of this is cybercriminals who attack company networks via remote desktop protocol (RDP). If RDP access is only protected with a username and password, attackers can make mass, repeated attempts to guess these, particularly when there’s no rate-limiting mechanism in place to restrict multiple wrong-guesses,” says FitzGerald.

“This type of reformed, enterprise ransomware attack can be very effective, and compromise entire organisations’ networks. In 2018, a family of ransomware called SamSam compromised a range of healthcare and government entities, most successfully by brute-forcing RDP endpoints. Cybercriminals behind the attack demanded substantially larger ransom payments than those in run-of-the-mill ransomware attacks.”

In more everyday scenarios, successful cybercriminals can often gain access to restricted networks because employees unintentionally, and unknowingly, feed them pathways into the system.

“Hacker tricks like business email compromise (BEC) can see fake emails, disguised as legitimate ones from colleagues, fool people into making bogus payments,” says FitzGerald.

“Often, these emails appear to come from a manager’s account to their finance team, and request a large payment to a certain account, or inquire into confidential finance account or employee data details.”

According to FitzGerald, many cybercriminals behind BEC scams even have the ability to compromise corporate mail servers, or executives’ accounts on hosted services, so they can genuinely access, and send, emails directly from the targeted executives’ real business email. 

“It’s important to avoid victim-blaming endpoint users. What matters is that users can identify red flags and suspicious activity, even in the seemingly mild form of an unusual email from a colleague,” says FitzGerald.

“Organisations need to improve their security training, and encourage employees to exercise the same level of caution online as they would in real life. However, organisations also need to improve their overall resilience, and implement strong rules to prevent ransomware or cryptomining attacks, for instance, ensuring payment requests are only authorised over the phone, or in-person. Organisations’ daily and business procedures need to significantly improve so they can recognise and resist increasingly sophisticated attacks.

Story image
Report: Tech industry most attacked sector
"The current global crisis has shown us that cyber criminals will always take advantage of any situation and organisations must be ready for anything."More
Story image
Endace and Palo Alto Networks launch integration to empower security teams
“The combination of Cortex XSOAR’s powerful orchestration and automation capabilities with the rich network history recorded by the EndaceProbe Analytics Platform gives security operations access to the conclusive forensic evidence they need to respond quickly and accurately to threats.” More
Story image
Exabeam targets APJ with ‘significant investment’
Triples its team across the region and forms an exclusive partnership with Orca Tech in A/NZ as SIEM demand rises.More
Story image
Months on, many organisations still don't have secure remote access - report
The report analyses the extent to which businesses were prepared for the sudden shift into remote working due to COVID-19 restrictions, and analyses how organisations have adjusted to support remote workers amidst the COVID-19 pandemic. More
Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More
Story image
Interview: Thriving in lockdown - how a coding school in Vietnam beat the odds
It's March 10 2020, and CoderSchool in Ho Chi Minh just went entirely online. A success story followed - here's how a lockdown helped a school thrive.More