Security Pros Fear Data Compromise, Financial Loss, and More from Cryptomining. But Are Risks Founded?
For over a year now Lastline has witnessed a tremendous increase in malware designed for criminal cryptocurrency mining, or “cryptomining.” Of course, we all know that Bitcoin has been the go-to cryptocurrency for criminal payments in ransomware, but now on the back of Bitcoin’s successful usage in cybercrime, we are seeing the adoption of other currencies in money-making activities by other criminal groups. According to coinmarketcap.com, there are now over 2,000 cryptocurrencies, up from 1300 at the beginning of the year, with new initial coin offerings (ICOs) taking place all the time.
The Rise of Cryptocurrencies Has Lead to a Rise in Criminal Cryptomining
So, what happens when an employee’s system is infected with cryptomining or cryptojacking malware? The first reaction is that all malware carries high risk, which is not a bad starting point. Indeed, a recent survey that Lastline conducted at the 2018 RSA Conference found that 65 percent of security professionals are concerned about cryptomining, either as a possible threat or a clear and present danger.
Survey Results Highlight Security Concerns Related to Cryptomining
In a follow-up survey at Black Hat 2018, Lastline surveyed 235 security professionals with the following results:
- 56% believe that cryptomining will still be the biggest threat in 2019, while 16.7% were unsure, and only 2% think ransomware will regain the distinction as the most popular type of attack.
- The biggest risks that these professionals believe will result from a criminal cryptomining attack are:
- Data compromise: 34.9%
- Financial loss: 28.0%
- Slower system performance: 18.1%
- “Land and expand” (see below) by the attackers: 16.8%
But the reality is that cryptomining is an attack with a low risk of serious harm. While security professionals are worried about data compromise and financial loss, all the criminals want are your CPU cycles. This may slow performance, but it doesn’t put IP, financial data, or PII at risk.
What Is the Real, and Potential, Impact of Criminal Cryptomining?
There certainly are potential risks of having one’s network compromised by cryptomining malware. Criminals could – to borrow a phrase from enterprise sales jargon – land and expand, which means to get an initial set of malware installed and the C&C channel operational, and then subsequently download more aggressive malware. Or they could sell their compromised systems to other criminals with other intents. These scenarios are not purely hypothetical – we know Smoke Loader and other loaders install multiple payloads. However, the criminals’ objective is to mine cryptocurrency and have the victim’s computer do that on their behalf for as long as possible. So, why would they risk discovery by changing their game?
There also are regulatory risks to consider. Should an infected system be found to also have access to confidential, private, or proprietary data, then even if the criminal is not actually after the data, that data has been exposed and so the company could be subject to regulatory and public relations ramifications. We have seen organizations notify of possible breaches out of an abundance of caution before actual proof of activity has been established. Certainly, a burden of proof exists to show cryptomining malware presents more of a regulatory risk than other malware infections that may have more nefarious intent.
Perhaps the biggest driver behind the perceived risk of cryptomining malware is security efficacy. It’s understandable that no self-respecting security analyst wants to admit that there’s a hole in company defenses that allows malware of any kind to operate on his or her network. This introduces an intriguing tradeoff – the more time that is spent detecting or remediating cryptomining comes at the cost of possibly missing another, higher risk attack. Every company we talk to is short-handed in their Cyber Defense Initiatives or SOC, so it’s a constant exercise of prioritizing where to spend the limited time. You have to ask yourself: What’s worse: malware that slows down a CPU or malware that’s actively looking to exfiltrate personal and financial data?