Ransomware has caused little more than heartache and disruption for the enterprise and consumers alike, but it may soon lose its lucrative appeal in favor of cryptocurrency miners.
Over the last few years, ransomware, which targets systems, encrypts files, and demands a blackmail payment in return for a potential decryption key, has hit the spotlight time and time again.
The UK's National Health Service (NHS), major shipping companies, utilities, private businesses, and consumers at large have all fallen prey to variants including Petya, WannaCry, GoldenEye, and CryptoLocker.
This type of malware capitalizes on unpatched PCs, legacy operating systems, and vulnerabilities both old and new.
However, according to Cisco Talos researchers, cryptocurrency miners may soon take the top spot as a way for fraudsters to generate income.
Cryptocurrency mining software is not malware. The software itself is used to leverage computing power -- such as a visitor to a webpage's CPU -- to mine for cryptocurrency such as Monero.
The Pirate Bay ran a trial with miners to see whether revenue generation based on borrowed CPU power could replace ads, but the test faced backlash as user consent was not requested.
According to Adguard, 2.2 percent of the top 100,000 websites on Alexa are now mining through user PCs and many of which are not asking for user permission, which has led to many antivirus providers branding the software as nuisanceware.
It is not just legitimate website operators who are looking to cash in on cryptocurrency, however.
Talos researchers say that as the value of cryptocurrency continues to surge, "mining-related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks."
Over the past several months, the research team has noticed a wave of new attacks designed to take advantage of the interest in cryptocurrency, as well as a "marked increase" in cryptocurrency mining software which has been delivered to PCs as a malicious payload.
A cryptocurrency miner delivered as a malicious payload, dubbed Dark Test, has been spotted in the wild, and in addition, the RIG exploit kit has been delivering miners through smokeloader over the past few months.
Internet of Things (IoT) devices, in particular, are an attractive target as they lend computing power which is far less likely to be noticed by a victim.
While often limited, IoT devices -- such as smart lighting, appliances, and security systems -- are not usually directly overseen by users, and so may generate income for attackers for long periods of time.
Talos estimates that an average compromised system which is running cryptocurrency mining software and depositing the proceeds into attacker wallets will generate roughly $0.28 in Monero per day.
This doesn't sound like much, but once you enslave 2000 systems, this could equate to $568 per day or over $200,000 per year.
"This is all done with minimal effort following the initial infection," the team notes. "More importantly, with little chance of being detected, this revenue stream can continue in perpetuity."
Talos noticed Chinese and Russian criminals discussing cryptocurrency miners in 2016, and the latter has begun developing and selling mining packages over the past six months, as well as touting access to compromised systems for the sole purpose of cryptocurrency mining.
Some botnets, such as Satori, can enslave millions of devices at a time. If a botnet focuses on IoT devices and each one is mining for cryptocurrency, the possibilities for fraudulent income are endless.
In one campaign utilizing a cryptocurrency mining botnet noticed by the team, the attacker amassed enough computing resources to mine cryptocurrency worth $184,000.
"Once the currency is mined, there is no telling what the attacker might do with it," Talos says. "This could become a long-term investment (or even retirement) scheme for these attackers -- sitting on this currency until it hits such a point where the attacker decides to cash in."
Previous and related coverage
ICOs are risky, potentially lucrative, and now a top target for threat actors looking to cash in.
Fake cryptocurrency advertised on forums is used to lure targets into installing what researchers say could be a test for new ransomware delivery techniques and tactics.
Blockchain-based skills platform BitDegree has unconventional plans for connecting tech talent and recruiters.