2017 was an important year for cryptojacking. It has increased by eighty-five percent, according to data published by Symantec in March. And it would seem that 2018 has been an even bigger year for mining malware since, since the September report by Cyber Threat Alliance revealed that, starting January 1, cryptojacking still had space to increase by an additional 500 percent.
However, beneath this simple growth pattern, there is a bigger and more complicated picture. Despite reports of several quarters showing that mining malware readings have increased in the first two quarters of 2018, other reports suggest that they have actually declined.
And while the overall growth in mining malware since last year has been attributed to the volatility of cryptocurrency prices and software bugs, other factors have played a significant role, such as the involvement of amateur cryptogens and legitimate extraction costs.
If there is a dominant trend this year in the underground world of cryptojacking, it is so most of the mining malware focuses on Monero. In fact, Palo Alto Networks revealed in July that Monero represents 84.5% of all detected malware, against 8% of Bitcoins and 7% of other currencies.
The reason is simple: Monero (XMR) is not only a private currency, but also the most precious private currency by market capitalization and the 10th absolute. Using the Cryptonight proof-of-work (PoW) algorithm, it mixes user input with those of other users and also uses "ring confidential transactions" that obscure the amount of XMR being transferred. It is therefore ideal for cyber criminals.
Monero was already the most popular currency for cryptojackers in 2017, but in 2018 numerous new developments emerged to distinguish this year from its predecessor. In particular, encryption is increasingly the province of amateur "hackers" that are lured into illegal activity by the low availability of mining malware and obvious financial benefits. According to the Russian cybersecurity company Group-IB, the dark network is "invaded by low-cost mining software", which can often be purchased for a minimum of $ 0.50.
This software has become abundant this year: in 2017, Group-IB found 99 advertisements related to cryptographic software for-sale on underground forums, while in 2018 it counted 477, signaling an increase of 381.8%. As the company emphasizes in its report:
"Low barrier to access to illegal mining market it results in a situation in which the cryptocurrency is extracted from people without technical experience or experience with fraudulent schemes. "
In other words, cryptojacking has become a kind of hobbyist crime, popular among thousands of amateur hackers. This may explain why there was a sharp increase in surveys this year, with Kaspersky Labs informing Cointelegraph that the the number of cryptojacking PC victims increased from 1.9 million in 2016/17 to 2.7 million in 2017/18. Evgeny Lopatin – a malware analyst at Kaspersky Lab – shared:
"The data mining model […] it is easier to activate and more stable [than other attack vectors]. Attack your victims, discretely build cryptocurrency using their CPU or GPU power and then transfer them to real money through legal transactions and transactions. "
Obviously, whenever the "surveys" are mentioned, the possibility emerges that any increase is largely the result of an improvement in detection measures. "However, this is not the main driver here, as we see real growth," says Lopatin.
"Our analysis shows that more and more criminals are using more and more cryptographic miners for malicious purposes all over the world."
McAfee noted in a April report that most of its findings were on CoinMiner, a malware that surreptitiously enters the code from the CoinHive XMR mining algorithm on the victim's computer. This occurs when the victim downloads a file infected by the web, but the novelty of 2018 is that this vulnerability now also affects Apple Macs, which were previously considered much safer than its Windows competitors.
This development was noted by the United States security firm Malwarebytes, which in a blog post in May reported the discovery of a new cryptic malevolent miner exploiting the legitimate XMRig miner. Thomas Reed, director of Mac and mobile company, wrote:
"Often Mac malware is installed by things like fake Adobe Flash Player installation programs, download from piracy sites, [and] come out documents that users are prompted to open. "
In fact, this was not the first piece of Mac malware that he had discovered, with Reed declaring "to follow other cryptominer for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate."
However, while cryptojacking has become a more amateurish phenomenon, the fact remains that many of the exploits of this year can be traced to more "elite" sources. The computer security company Proofpoint reported at the end of January that Smominru, an encryption botnet, had spread to over half a million computers – largely thanks to the National Security Agency, which had discovered a Windows bug that was then leaked online.
This vulnerability is better known as EternalBlue, the most famous of which was responsible for the May 2017 WannaCry ransomware attack / incident. According to Cyber Threat Alliance (CTA), it is another factor increase of 459% of this year in cryptojacking.
It is worrying to note that the CTA report suggests that cryptojacking is likely to increase as it becomes more profitable and profitable:
"[Cryptojacking’s] the inflow of money could be used for future and more sophisticated operations by groups of threat actors. For example, several large-scale cryptocurrency botnets (Smominru, Jenkins Miner, Adylkuzz) have earned millions of dollars. "
And things are bad enough in the present, with the CTA writing that the infection caused by malware mining involves high costs for the victims.
"Overall, when criminals install cryptocurrency miners in large corporate networks, costs related to excess energy, degraded operations, downtime, repair of machines with physical damage and malware mitigation in systems supported by the victims far outweigh the relatively small amount of cryptocurrency, the attackers generally gain on a single network. "
The mention of costs is significant when it comes to cryptography, not only for (potential) victims, but also for perpetrators. This is because cryptojacking is essentially the theft of electricity and CPU, which implies that it will continue to be prevalent not only until Monero and other currencies remain valuable, but also for as long as it remains expensive to extract XMR and other cryptos.
According to the CryptoCompare profit calculator for Monero, a single US miner who uses a graphics card capable of a hash frequency of 600 H / s (for example, the Nvidia GTX 1080) and the use of 100W of power (a very conservative estimate) will only make $ 0.8333 in profit every month. This, of course, is not particularly promising, which is a big part of why so many amateurs have turned to cryptodivision, since extracting XMR while paying for its electricity is not fruitful when one is not a large mining company.
However, there are recent signs that Monero's extraction has become more profitable, even for the smaller miner. This happened after his hard fork on April 6, which changed its PoW protocol to make it incompatible with ASIC miners, which tend to dominate the mining sector (particularly in the case of Bitcoin).
As soon as this rigid fork was completed, the reports arrived from Monero subreddit this profitability increased by 300% or even 500%, although this drive was soon lost in the following weeks, according to BitInfoCharts.
Likewise, Monero himself has been cautious about the promise of being able to withstand ASIC mining equipment forever. "Therefore, it is recognized that ASICs can be an inevitable development for any job test [cryptocurrency]", Wrote the developers dEBRYUNE and dnaleor in a February blog." We also believe that ASICs may be inevitable, but we believe that any transition to a network dominated by ASIC should be as equitable as possible in order to promote decentralization ".
Assuming that it became more profitable to legitimately extract my XMR, this would explain a flattening in the growth of cryptojacking that has been observed by some IT security companies. In its report on Q2 2018, Malwarebytes revealed that malware detection in the mining sector dropped from a peak of 5 million at the start of March, to a low of 1.5 million at the beginning of June. This decline may contradict what other analysts have reported this year, but since Malwarebytes research is the most recent in terms of dates covered, it is probably the most authoritative.
It is not clear whether this decline is the result of an increase in profitability for Monero's miners, for businesses and for individuals who are aware of the threat of encryption, or of a general decline in the value of cryptocurrencies. Regardless of this, Malwarebytes expects that "Cryptocurrency miners will go out of style"as a threat to cyber security." Obviously, we will still see many miners distributed and detected, "concludes the report. However, it seems that we are at the end of the "mania". "