CANCUN--Making easy money was supposed to be one of the things that the Internet was good for. It hasn’t necessarily turned out that way for the most part, unless you’re somewhat morally flexible. The people who spend their days trying to compromise other peoples’ computers are, of course, and they’re flexible in other ways, too. If one tactic doesn’t work, they’ll find one that does.
For several years now, various groups of attackers have been using freely available tools to find and compromise installations of database software, mainly open source ones, such as MongoDB. In January 2017 attackers began targeting unsecured MongoDB installations and wiping out the stored data. The attackers demanded Bitcoin ransom to restore the data, and tens of thousands of vulnerable databases were hit. Some attackers expanded that campaign to other databases and a few months later another large wave of the attacks hit.
While those campaigns are still ongoing and the ransomware aspect of it persists, more recently another version of them has emerged that substitutes cryptocurrency mining for a ransom demand. Rather than going to the trouble of demanding a payment that may never come, some attackers are removing the middleman and installing software on compromised machines that mines Monero or other cryptocurrencies in the background. These programs can often run unnoticed indefinitely, depending upon the amount of computing resources they consume. And they can make significant amounts of money for their operators without much effort.
“They’ve switched tactics to the cryptomining thing with these campaigns. It’s a really great way to make money surreptitiously,” said Nate Warfield, a senior security program manager at the Microsoft Security Response Center, during a talk at the Kaspersky SAS conference here Thursday.
The emergence of this kind of attack should’ve been easy to see coming. There’s no real reason to install ransomware if you can just generate the ransom, and much more, on your own. Coin-mining software is meant for legitimate purposes, but criminals are co-opting these applications and using them as payloads. There have been instances of attackers compromising media sites or other popular sites and then adding code that installs coin-mining software on visitors’ machines. That model allows for a distributed mining process that multiplies the amount of cryptocurency the attackers can generate in a given amount of time.
Cryptocurrencies have attracted many different classes of criminals, some running these kinds of mining operations, and others with lower-level scams. But the future of this type of crime may lie in the hands of the top tier attackers: governments.
“Transaction fees on Bitcoin exchanges have skyrocketed and that means lower ransomware payments were crowded out,” said Jonathan Levin, chief research officer at Chainalysis, a firm that monitors cryptocurrency transactions and provides anti-money laundering software for Bitcoin.
“The level of crime has become almost petty in cryptocurrencies. But in the future it will be nation state actors. We’ve seen a little bit of that in the cryptocurrency world, but they’ve not been very successful. Cryptocurrency crime could be a new way for state actors to make money.”