Clavister Blog Staff

Dig this: why cryptomining could be the new ransomware

In Blog post by Clavister Blog Staff

If 2017 was the year of ransomware, is 2018 set to be the year of cryptomining malware? While ransomware attacks increased at up to 10 times the rate seen in 2016 over the past 12 months, the second half of 2017 also saw a massive increase in the use of cryptomining malware.

Unlike fast, disruptive ransomware attacks which aim to pressure victims into doing a deal with cybercriminals, cryptominers are intended to operate under the radar and remain undetected for as long as possible, to hijack unsuspecting users’ systems and crunch the necessary numbers and generate cryptocurrency.

The advantages to criminals of this stealthy approach were highlighted in a recent report, which stated that:  “An average system would likely generate about USD 0.25 of the Monero currency per day, meaning that an adversary who has enlisted 2,000 victims (not a hard feat), could generate USD 500 per day or USD 182,500 per year.” Despite the recent fluctuations in cryptocurrency values, that’s still a good return for a hacker, that only needs minimal upfront investment.

While a cryptominer infection is far less disruptive than a ransomware attack—it doesn’t scramble your data or lock up files—it still has an impact.  It can slow your servers and PCs to a crawl by hogging up to 80% of their CPU power, leading to frustrated users and applications or services that don’t function. And of course, it’s still a criminal activity.

Cryptominers are spread using many of the familiar techniques by which more conventional malware is spread: using existing exploit kits and downloaders that are already embedded and hidden on enterprise networks, and by drive-by downloads from infected websites or malvertising.


So how can you keep your networks and machines clear of cryptominers at bay? The first step is to ensure you’re using reputable, up-to-date antivirus software. This will help to identify the latest cryptomining malware variants, and stop them from infiltrating and infecting machines.

Secondly, it’s also advisable to segment your networks using firewalls. Intelligent segmentation helps to minimize the impact of an attack if it occurs, so criminals are significantly limited in the amount of processing power they can hijack. This functionality is built into Next Generation Firewall solutions.

Third, ensure your software patch management and intrusion prevention system (IPS) is updated, to block malware that tries to exploit known vulnerabilities.

Finally, you should look to use GeoIP blocking. GeoIP blocking works on the basic principle that the majority of IP addresses and websites your organization connects to should not come into contact with your organization. They may come from geographies where you don’t do business, or they may be bad IP addresses known to distribute malware to existing bot infections.

GeoIP blocking will cut out potentially malicious traffic from troublesome locations and IP addresses that are known to have been hijacked to hide threats within.  It can also block outbound communications from existing bot infections, which isolates and quarantines the bots from their command and control servers and means they can do no further damage.

With these measures in place, you can stop hackers digging for virtual gold using your network’s resources.