[Podcast] Ransomware Out, Cryptojacking In? Latest Cybercrime Trends

Ransomware is on the decline. In Episode 10, we find out why the new trend of cryptojacking is taking its place. Plus, what it's like to be a malware analyst.

Author: Melissa Michael
Date: 12.07.2018
Read Time: 20 Minutes

LISTEN TO EPISODE 10

Over the past couple of years, ransomware stole headlines as the biggest malware threat to worry about. Consumers and businesses alike were being hit and forced to shell out money to retrieve their files. But the cybers never stand still, and neither does malware. Nowadays ransomware is being eclipsed by new trends. Why is that, and what’s taking its place? F-Secure labs researchers Paivi Tynninen and Jarkko Turkulainen stopped by the Cyber Sauna for Episode 10 to talk about cryptojacking and the current world of cybercrime.

Janne: Welcome to the show, guys.

Jarko: Thanks,

Paivi: Thank you.

So ransomware is in decline. How much of a decline, and why is that? Did people stop paying ransomware?

Paivi: So basically all malware is created because they are after gaining monetary revenue. The surprising trend that we observed last year that the ransomware was suddenly declining, especially as the market value was estimated to be millions of dollars in 2016, so it was pretty surprising. But the decline partially can be explained by people not paying anymore, as there have been these public projects of not paying the ransom, and Europol’s joint effort on No More Ransomware project, where they offer these free decryption tools for some ransomware infections, and also the knowledge sharing about ransomware infections has attributed quite a lot, to that people don’t necessarily feel victimized when they get attacked by ransomware.

So they just ignore the infection?

Paivi: Yeah, and they have these other measures that they can recover from, for example, they probably have backups, or they realize that okay, ransomware is a potent threat. So they already have these premeasures to counteract the ransomware.

We’ve had these three major outbreaks in the last year that probably have attributed also to the overall knowledge that ransomware is a threat, but also that paying up for the ransom, you don’t necessarily get your files back. For example in the first strain, WannaCry, it was only wiping your disk and it was encrypting your files in such a manner that they weren’t decryptable. So even though people were paying up, none of them got their files back. So that has probably ruined the reputation of ransomware. As we had this study in 2016 where we studied the customer service that the ransomware providers were giving. And they were really interested in providing good service to their users, and that means that if the user or the customer victim wants to pay the ransom and get their files back, that is possible, so they wanted to provide really good service for that.

Yeah, I mean presumably they were trying to avoid exactly what happened here, that when people don’t get their files back the incentive to pay up has vanished.

Paivi: Yes, exactly. So in a way those three major outbreaks have served the ransomware business quite a lot of harm.

So does that mean we don’t have to worry about ransomware anymore?

Paivi: Absolutely not. Ransomware is still a very potent threat. The measures users have learned in the past couple years should still be exercised.

What are the current techniques in spreading ransomware? Is it still spam and macros?

Paivi: Yeah, that’s still quite popular but the currently most prevalent infection vector is brute forcing the target system for example via RDP ports, and executing the ransomware there manually. So the user doesn’t have to do any interactions, and this approach is actually more efficient, as it selects only like these high profile targets such as businesses that have these RDP protocols enabled in their systems. And therefore it increases the possibility to get a bigger ransom, with higher probability to be paid, as the company probably needs their intellectual property back.

How does that work? Are you talking about specific vulnerabilities in remote desktop protocol, or…?

Paivi: Only weak credentials and public ports. So they are not like in these contained network segments, but the RDP ports are available in public internet.

Okay, and that’s not something we’d recommend.

Paivi: Yeah, especially not.

In a recent presentation, Paivi, you mentioned that the bait in phishing email is always changing even though the infection vectors have stayed the same. Can you explain about that a little?

Paivi: Yeah, the spam emails have changed a bit. Even though the infection vector, document macros, have stayed the same, but the attackers are adding additional layers to avoid automatic analysis and researchers trying to intercept their potentially good infections and creating detections for those. For example the attackers don’t necessarily use email attachments anymore, but they are using these links that are these crazy redirect loops that they are redirecting you from page to page, and after a couple to maybe seven different page redirections you get the final payload, which is only the downloader document with macros. And also another additional security measure layer that the attackers use, if they use an attachment in an email, they are going to secure it with a password that is attached to the original email. So if you submit this kind of example to an automatic analysis box, the attachment doesn’t execute because it’s only prompting for the password that is not available without the original spam email.

What’s the point of redirecting you that many times?

Paivi: If you have that many redirection loops, you can always kill one website from that chain, so you wouldn’t know what the next step was. So if I’m going to follow this kind of infection strain like couple hours after the campaign is over, I’m not going to be able to deduct from the information I have what was the final payload and what was the executable that was served. So we are not able to create detections for something that we haven’t found.

So it’s a chain that leads to the attackers but they’re able to cut it at any point.

Paivi: Yes, exactly.

So what are the new trends that are taking ransomware’s place as the number one malware threat these days?

Jarkko: Cryptomining obviously is a new trend, and also I think click fraud is getting bigger, especially on mobile. Maybe phishing kits can be something in the future, a growing trend. We actually see nowadays very complex phishing kits that can replicate convincingly big web stores like Wal-Mart. But definitely cryptojacking is – and cryptomining in general – is absolutely the biggest trend.

So what are cryptomining and cryptojacking?

Jarkko: Well the cryptomining in general is this process in which the cryptocurrency is being generated. And at the same time it runs the whole network of the currency. Cryptojacking is a special technique of that, in that the browser is used to mine cryptocurrency.

Okay, so the attackers are using my computer to mine their cryptocurrencies.

Jarkko: Yes, basically that’s the idea. They take over your resources. And instead of offering you for example a trojan or ransomware, they use your machine, your CPU cycles, your electricity, and transfer that to money.

Can you make money that way?

Jarkko: Well obviously it’s a profitable business for someone.

It’s just my understanding of cryptomining is that it takes a huge amount of time and a ton of resources so is the attacker gonna have that long access to my resources?

Jarkko: One of the things that is interesting in this is that they use this cryptocurrency called Monero, or Monero-based cryptocurrencies and the interesting feature of that is that you can actually do pretty efficient mining on regular CPUs. So it’s not like a Bitcoin where you need to have the GPU, you can mine Monero quite nicely with the curren – like laptop or even mobile phone or browser. So imagine if you have a website and 10,000 visitors and they all get this thing. It’s going to generate some revenue.

Right. So each individual is not doing a lot of the work but put together it’s a big deal.

Jarkko: Yeah, and then of course on the regular PC you might run that 24/7 basically. And if you have a decent botnet running those things it can actually generate.

Wouldn’t I notice that on my PC, that something like that is happening?

Jarkko: I don’t think so, no.

So it’s not going to slow my machine down?

Jarkko: No, and they usually use legit tools like XM Rig and you can configure those that they use only for example one core of your machine or two cores. You don’t notice that on a regular PC.

So how long can an attacker stay on a victim’s computer running their cryptomining operation?

Jarkko: Basically if the attack is on a regular PC, like a native platform like Windows, then they usually install the miner and it runs forever. As long as the operating system is up and running.

So you might never notice it.

Jarkko: No, no. Only if the AV or some other way of removing the malware actually stops the execution, then it just runs there.

Is that something that’s easy for AV to detect, like malicious cryptomining as opposed to cryptomining that people are doing on purpose?

Jarkko: Not really. Because most of the time they use legit tools, like XM Rig, which is used by normal people for mining and making some extra money.

So even AV might not be able to catch it.

Jarkko: It’s not about being able, it’s about sometimes we don’t want to detect these files because we would get so many complaints. But most AV detects these as potentially unwanted applications. And then if the miner is running on the browser then of course the thing is completely different. It depends on how it is installed.

So how is it different on a browser?

Jarkko: In general it runs only when you are on that page. But in some cases they might install a malicious add-on, for example for Chrome. Then it runs whenever the Chrome is up, which is basically nowadays forever. But Google is and other players as well they are blocking actively these add-ons in their shops.

So when did this cryptojacking thing start and what was the catalyst for it?

Jarkko: I think the first big case was the Pirate Bay incident in September 2017, so that’s when the whole thing broke to the bigger audience. But the development of this Javascript-based Monero, that was happening behind the scenes already and the CoinHive was the first one to come up with the working library maybe in middle of 2017 summer. From there on the process actually took over and it has been kind of big growth there.

Are we also seeing noncriminal instances of cryptomining on people’s browsers? I think I’ve seen ads being replaced by this, like we’re not going to show you ads, we’re just going to mine cryptocurrency on your browser while you’re visiting our website.

Jarkko: I don’t remember the names but there were some major sites actually using that and still using.

So is cryptojacking malware being spread the same way as traditional payloads? Are there differences?

Paivi: Quite a lot of the cryptomining malware that are targeting for example Windows platforms and they are distributed as binaries, they are using the same infection vectors as we saw ransomware in the past couple years and that is partially spam. But also there are these social engineering sites that for example you’re visiting a trusted legitimate website that has some sort of malicious redirection and it’s redirecting you to this pretty shady site that is asking you to install some plugin or browser-boosting software that is making your computer usage even quicker, and that could be a coin miner.

Is that still malicious banner ads, or what’s the technique there?

Jarkko: Malvertising basically. Well there’s been major cases, using legit deliver platforms, for example DoubleClick. So for example in January someone put some obfuscated CoinHive scripts using DoubleClick and loaded from major sites, including YouTube.

Wow.

Jarkko: But obviously these are not very long living, but still. They reach quite many people.

Paivi: Yeah, even if they reach only for a short while and for example YouTube probably has millions of visitors in just a couple of minutes, that is big enough an audience for coin mining.

Sure.

Jarkko: Yeah, and then of course websites, they are hacked manually, like, the normal way.

So instead of defacing the website, somebody just puts this stuff up.

Jarkko: Yeah, and it’s a very efficient and clean way to do it, because traditionally when these people take over the servers, they put some iframe to some exploit kit or some other exploitation and that’s a very unreliable way to take over a machine. You need to also hack the browser. But in this case you just hack the website, which is much easier, you always find websites to hack, and then you just put this nice iframe there and that’s it. No hacking, no browser crashing, nothing like that.

So does this kind of thing primarily affect businesses or consumers or both?

Paivi: I’d say that this affects both consumers and businesses. Consumers are a better audience as they are a lot more of them, but the resources that the normal users provide isn’t as good as a business’s data centers could provide. And we’ve seen quite a lot of malware strains that are targeting big business corporations and their services and servers and they are infested with coin miners that are moving laterally from one computer to another and in a matter of just minutes you have compromised the whole network.

Jarkko: Can I add one more injection vector to this, one very interesting actually using obviously wifi hotspots. Someone can just sit on wifi and inject something to customers machines. But also TOR exit nodes and that’s very common. I’ve been monitoring TOR exit nodes for quite a while now and you get this a lot. And they do SSL striping and all that stuff so if you are using TOR, you might be mining coins as well.

If I have a rogue wifi node or I’m running my own malicious TOR exit node, how does that work? I see some unencrypted traffic going through and I- is that where I get in?

Jarkko: Yes, and then you just brutally insert the iframe there. It’s a one liner, for CoinHive, basically.

Wow. You mentioned lateral movement that sometimes is needed to spread through an entire organization. Does that happen through like admin tools or malicious means like EternalBlue or something like that?

Paivi: There are quite a lot of different options for lateral movement, but I think the most popular methods for that are these harvesting used credentials inside the network, such as Mimikatz, and these big exploits such as EternalBlue, using these well known vulnerabilities, especially in business environments.

Let’s talk a little about cyber crime in general. How do cyber criminals decide what type of attacks or scams to run? Like why would you go for banking trojans instead of ransomware?

Paivi: Well the main thing that is driving especially these crimeware/malware criminals is money. They are going where the most potential money income is. If they see that OK, ransomware is trending and I don’t need to put that much effort to create my own ransomware, I have my distribution networks done, then OK, I just push out this ransomware and the money is just flowing in. For banking trojans it’s pretty simple. If you have good target banks that you know how to compromise, how do you intercept the bank transfers so that you can transfer a little bit of money to your own account as well. It’s simple, they just go where the money flows.

Yeah, when one stream trickles down you just move on to whatever’s making more money now.

Paivi: Yeah, exactly.

Tech’s always changing and moves pretty quickly – can the latest tech keep us safe from cyber crime?

Jarkko: On the technical side, I’m not really worried at all.

Why is that?

Jarkko: I think we can keep up with those guys. What is really worrying is the kind of blurring of these categories. I mean, is tricking someone with a love letter in Facebook, is that cyber crime? I think it is. But that’s clearly something that AV cannot do much about.

By tech you mean that we can detect the latest viruses, malware, like that, but if you can trick a human being you’re always going to be successful.

Jarkko: Yes, exactly. There’s always going to be this kind of polarity, that on the one side you have this high tech cyber crime with complex technologies and zero days and whatnot, so this is what we traditionally have been working on. But then on the other side, you just simply ask for money. If you ask a million people for money, someone will give you, and you’ll get rich. And that’s cyber crime still.

Absolutely. Not much you can do about stuff like that. What would be the thing to do to sort of fix the human being part of the problem?

Jarkko: Well, education.

Paivi: Yeah, education is pretty much the only way. We can share the knowledge we have and that way share the good security measures that anyone can do by themselves.

Jarkko: There’s actually been quite good progress in this, I think. We’ve been keep telling people that you have to do your updates, you have to take backups, and you have to do this and that. And people are accepting that now. They are not getting really pissed off when the computer’s booting all the time because of updates and all that stuff that is happening, so I think that is paying off. So the security in operating systems is getting actually really good. I mean the browsers and the core operating systems like Windows. It’s really good. But it’s the human that is clicking and doing all that stuff, that’s still what we need to fix.

Let’s talk about your work a little bit. What’s it like to be a malware analyst? What gives you kicks in the work? Do you feel disappointed when the bad guys can’t come up with anything cool? Do you dream of the next Stuxnet?

Jarkko: I’m not after this kind of big media things, like big malware cases of nation state grade stuff, of course that would be nice, but for me it’s more like a generic curiosity that has been basically driving me. I actually still remember my first real malware that I reversed. At that time I was working for a major Finnish IT provider for networks and UNIX servers and we actually saw in one of the proxy logs these strange things going on and there were these Windows executables coming into the network and I just had to find out what it was doing so I bought an IDA license personally with my own money, spent some weekends and nights doing reversing and when I actually realized what it was doing, when finally everything starts to click, I guess that’s the kind of feeling I’m still looking for. It’s a very exciting kind of thing. I get almost obsessive when I actually get into that sort of mood.

What about Paivi? What drives you?

Paivi: I need to agree with Jarkko here, I’m not really waiting for these very big media things just to happen so that we can get fame and be part of something very big that’s receiving a lot of interest, public interest. I’m in this line of work because I’m also very curious and for analyzing malware, figuring out what it does and finding out where it came from and what was its purpose and why would the creator of this malware do these decisions and why would they want to target that, and trying to understand their infrastructure behind it, basically understanding the whole picture is really giving me the kick that keeps me in this work.

But if it’s the puzzles of it that are keeping you motivated doesn’t it get boring when you see the criminals doing the same old thing over and over again and being madly successful at something that should absolutely not work at all?

Jarkko: We also have other things to do. For example, I have another role in this company, I have also been part of R&D for a long time, and so for me it’s basically two sides of things. One of the sides is figure out what they do, how they work, how these things operate, but then I have the other angle, like what can we do about it with our technology, and that’s basically something that never stops. We can always perfect our tools and technologies. It’s not gonna get boring.

Paivi: One of the most fascinating parts of the work is to understand the whole picture that you get the puzzle pieces together, but we also need to think of solutions for fixing that. Whereas Jarkko is in R&D, I’m more on the feed automation and trying to get more visibility in all the threats that are occurring so we have even better coverage. So it’s not only one cybercriminal gang that we are tracking, we are tracking everything and our goal is to understand the whole picture and understand the trends. It doesn’t matter that we see that okay, these guys are doing the same things and now I’m seeing this guy doing the same thing again. But it’s giving us information that okay, this is trending. And this is giving us prioritization for what R&D is supposed to do to give better protection for our customers.

Do you ever get mad at news when the Olympic Destroyer pops up and people are saying “That’s definitely China” and you’re like “It absolutely isn’t!”

Paivi: Well, I don’t get that strong emotions, I’m just shaking my head and wondering where did they figure out this attribution and they don’t have strong enough proof in my opinion, usually, to state these arguments.

But does it ever happen that you sort of, you see something new and you’re like, “Okay, this is gonna be big.”

Jarkko: Well, it happened for cryptojacking for me, when I actually hit the Pirate Bay thing and saw the script, I was like, “Yes, this is going to hit.” It was so obvious. Because it’s such an easy way to make money and the JavaScript security model is basically nonexistent. So you can put this third party script from any site and they will run. So basically, that’s what it’s based on.

So any last words, final advice for our listeners?

Jarkko: For cryptojacking, you’d better disable Javascript.

That’s always sound advice. Thanks for being here today.

Paivi: Thanks.

Jarkko: Thanks.

LISTEN TO EPISODE 10

Cyber Security Sauna podcast


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s