Intelligent CISO Issue 04 | Page 33

 PREDI C TI VE I NTEL L I GE NC E Digging into the future of cryptomining botnets The Blockchain sector is now bursting with innovation, with developers looking for new, pragmatic ways to use this secure distributed ledger technology across a range of applications. As always, cybercriminals are among the earliest adopters and are unfortunately helping to push forward public awareness of the technology, Gadi Naveh, Threat Prevention Evangelist at Check Point warns. C ryptomining malware is now by far the most common event we are seeing attacking our user base and this is only the beginning. Since December 2017, the Coinhive cryptominer, which performs online mining of the Monero cryptocurrency, has been the most common type of malware seen globally, impacting nearly 20% of organisations worldwide over the past four months. What’s more, volumes of cryptomining attacks are doubling and re-doubling month by month. Mining money on every attack An attacker is always aware of the amount of revenue their malware can www.intelligentciso.com | Issue 04 make and will quickly adapt their technique to deliver the best possible ROI. Most attacks are linked together in a funnel, in which each step needs to pay the previous level for the ‘leads’ it provides. The usual funnel will be: Targets > delivery > infection > monetisation Each step has a success ratio, such as the percentage of spam emails that bypass spam filters, or the percentage of successful exploits (the infection rate) or the rate of click-through on infected files. The monetisation step has its success rate as well. To earn from an infection, the identity of the target needs to match your attack profile. Think of phishing sites or banking trojans, the infected user needs to be doing online banking with your supported list of banks which reduces the number of infected users you can cash-in on. The first malware evolution to use cryptocoins for the revenue stream was ransomware. Ransomware doesn’t need to adapt to a specific bank. Every target is vulnerable to ransomware as every machine and user has files of value which the user will be incentivised to pay a ransom in order to retrieve. Unfortunately for the attacker, the ransom pay-out rate is under 1% of all infections. This was witnessed in the WannaCry campaign and in our analysis of the Cerber Ransomware–as- a-service campaign. Cryptomining solves this problem of low returns (and of course relatively 33