Ransomware vs. Cryptojacking

Cybercriminals are increasingly turning to cryptojacking over ransomware for a bigger payday. Here's what enterprises need to know in order to protect their digital assets and bank accounts.

Jay Kelley, Senior Product & Digital Marketing Manager, Menlo Security, Inc.

July 3, 2018

10 Min Read
Dark Reading logo in a gray background | Dark Reading

Cryptojacking is catching up to ransomware as the most popular attack vector, according to a number of recently published research reports. To be sure, ransomware is still prevalent and dangerous to businesses and households. But cryptojacking is definitely gaining ground.

What does that mean for security teams? Before I go any further, let me set the record straight about cryptomining and cryptojacking.

  • Cryptomining is the action of mining cryptocurrencies, such as bitcoin, ether (from Ethereum), Ripple, Litecoin, Monero, and one (or more) of over 1,600 other cryptocurrencies currently available from numerous sources. 

  • Cryptojacking is illegally mining cryptocurrencies. It involves stealing by leveraging the computer and graphics processing power from unsuspecting users' devices to mine crypto, without their permission or knowledge. It can also involve stealing already mined cryptocurrency from another's crypto wallet. There are countless ways for attackers to cryptojack cryptocurrency, and all of them not on the up-and-up.

While ransomware has been the "go-to" play for attackers for some time, ransomware can be complicated. It typically involves a great deal of research, reconnaissance, social engineering, and technical acumen. It can take time to develop the malware to deliver the ransomware, not to mention the ransomware itself. And the payouts, while once lucrative, have now become smaller and smaller, with some companies, educational institutions, and municipalities refusing to pay the ransom, leaving the attacker without what they wanted in the first place: quick, untraceable cash.

Cryptojacking, on the other hand, is not as time consuming or difficult. The most common cryptojacking attack is one in which an attacker simply leverages a legitimate cryptomining program, likely in JavaScript; finds a website running a vulnerable server — which is much more common than you would like or hope to believe — and infects the website with the mining program. Then, every user that visits that website will have the cryptomining program installed in the background, and the attacker will leverage the computing and graphics power from that user's device to mine cryptocurrencies. Done over and over again daily, the attacker can have many, many computers mining crypto for them, unbeknownst to any of their users.

A user might say, "so what?" After all, their device hasn't been infected with malware, like ransomware. All the attacker is stealing is a little power; so, what's the problem? But the user will experience the problem firsthand when his or her system slows to a crawl, and accessing anything on the device becomes exponentially more difficult. It's even worse if the user's device has been cryptojacked by a novice; the user could max out the performance of the CPU on the device to try and solve more of the complex, sophisticated mathematics problems it takes to mine crypto. That would put the computer at risk, possibly destroying it in the process.

Now, imagine the same situation, but instead in a corporate data center. Imagine if all of the servers had cryptomining software loaded on them and were simply churning through the math problems to mine crypto. Corporate services would slow down, causing lost productivity, at best. At worst, if that same situation were to happen at, say, a data center for an electrical utility, it could cause a brownout or a blackout, since the services would be running slower and slower, as the computations increase as crypto is being mined. If the target was a healthcare provider's data center, and access to electronic health records (EHR) slowed to a crawl, it could mean the difference between life and death.

As more attackers move to cryptojacking, they are also looking for new and foolproof ways to gain access to processing and graphics power. It has now become so difficult to solve the math that leads to a bitcoin payout (which cannot be made on just a single bitcoin, but on a bitcoin block; the number of bitcoins per block — which make up a blockchain — varies, but it has been in the 12+ bitcoin range), most serious miners use hundreds of specific, expensive ASIC-based mining systems. But it's far easier to mine ether or bitcoin, or any of the other cryptocurrencies available.

Plus, for the attackers, the payout is much higher, and has a better guarantee of payoff than ransomware, at this point. The return on cryptocurrencies may continue to be volatile, but at least the outcome is certain: There will be a "payday" for the attacker, in untraceable currency, which is not assured anymore when it comes to ransomware demands.

How can businesses protect themselves and their devices from cryptojacking? Here are five places to start:

  1. Determine if the on-device processes are consuming mass quantities of device resources or coming from a browser-based miner. Check CPU and GPU usage on computing devices.

  2. Block JavaScript on the browser. This will work, but could be very limiting, as JavaScript is used in many web-based applications and on websites.

  3. Keep patches updated. This should go without saying, but, unfortunately, it needs to be stated and restated.

  4. Use an anti-malware program or service that blocks cryptominers and/or download a cryptominer-blocking plug-in for your browser. But be aware: these programs and services can be usurped and fooled into complacency.

  5. Employ web browser isolation, which should block any active content, such as JavaScript, from being downloaded directly to a user's device but should also allow any active content to remain active, possibly by re-rendering it in safer code.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Cryptojacking is catching up to ransomware as the most popular attack vector, according to a number of recently published research reports. To be sure, ransomware is still prevalent and dangerous to businesses and households. But cryptojacking is definitely gaining ground.

What does that mean for security teams? Before I go any further, let me set the record straight about cryptomining and cryptojacking.

  • Cryptomining is the action of mining cryptocurrencies, such as bitcoin, ether (from Ethereum), Ripple, Litecoin, Monero, and one (or more) of over 1,600 other cryptocurrencies currently available from numerous sources. 

  • Cryptojacking is illegally mining cryptocurrencies. It involves stealing by leveraging the computer and graphics processing power from unsuspecting users’ devices to mine crypto, without their permission or knowledge. It can also involve stealing already mined cryptocurrency from another’s crypto wallet. There are countless ways for attackers to cryptojack cryptocurrency, and all of them not on the up-and-up.

While ransomware has been the "go to" play for attackers for some time, ransomware can be complicated. It typically involves a great deal of research, reconnaissance, social engineering, and technical acumen. It can take time to develop the malware to deliver the ransomware, not to mention the ransomware itself. And, the payouts, while once lucrative, have now become smaller and smaller, with some companies, educational institutions, and municipalities refusing to pay the ransom, leaving the attacker without what they wanted in the first place: quick, untraceable cash.

Cryptojacking, on the other hand, is not as time consuming or difficult. The most common cryptojacking attack is one in which an attacker simply leverages a legitimate cryptomining program, likely in JavaScript; finds a website running a vulnerable server – which is much more common than you would like or hope to believe; and infects the website with the mining program. Then, every user that visits that website will have the cryptomining program installed in the background, , and the attacker will leverage the computing and graphics power from that user’s device to mine cryptocurrencies. Done over and over again daily, the attacker can have many, many computers mining crypto for them, unbeknownst to any of their users.

A user might say, "so what?" After all, their device hasn’t been infected with malware, like ransomware. All the attacker is stealing is a little power; so, what’s the problem? But, the user will experience the problem firsthand when their system slows to a crawl, and accessing anything on their device becomes exponentially more difficult. It’s even worse if the user’s device has been cryptojacked by a novice; they could max out the performance of the CPU on the device to try and solve more of the complex, sophisticated mathematics problems it takes to mine crypto. That would put the computer at risk, possibly destroying it in the process.

Now, imagine the same situation, but instead in a corporate data center. Imagine if all of the servers had cryptomining software loaded on them, and were simply churning through the math problems to mine crypto. Corporate services would slow down, causing lost productivity, at best. At worst, if that same situation were to happen at, say, a data center for an electrical utility, it could cause a brownout or a blackout, since the services would be running slower and slower, as the computations increase as crypto is being mined. If the target was a healthcare provider’s data center, and access to electronic health records (EHR) slowed to a crawl, it could mean the difference between life and death.

As more attackers move to cryptojacking, they are also looking for new and foolproof ways to gain access to processing and graphics power. It has now become so difficult to solve the math that leads to a bitcoin payout (which cannot be made on just a single bitcoin, but on a bitcoin block; the number of bitcoins per block – which comprise a blockchain – varies, but has been in the 12+ bitcoin range), most serious miners use hundreds of specific, expensive ASIC-based mining systems. But, it’s far easier to mine ether or litecoin, or any of the other cryptocurrencies available.

Plus, for the attackers, the payout is much higher, and has a better guarantee of payoff than ransomware, at this point. The return on cryptocurrencies may continue to be volatile, but at least the outcome is certain: There will be a “payday” for the attacker, in untraceable currency, which is not assured anymore when it comes to ransomware demands.

How can businesses protect themselves and their devices from cryptojacking? Here are five places to start:

  1. Determine if the on-device processes are consuming mass quantities of device resources, or it is coming from a browser-based miner. Check CPU and GPU usage on computing devices.

  2. Block JavaScript on the browser. This will work, but could be very limiting, as JavaScript is used in many web-based applications and on websites.

  3. Keep patches updated. This should go without saying; but, unfortunately, it needs to be stated and restated.

  4. Use an anti-malware program or service that blocks cryptominers, and/or download a cryptominer blocking plug-in for your browser. But be forewarned: these programs and services can be usurped and fooled into complacency.

  5. Employ web browser isolation, which should block any active content, such as JavaScript, from being downloaded directly to a user’s device, but should also allow any active content to remain active, possibly by re-rendering it in safer code.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

About the Author

Jay Kelley

Senior Product & Digital Marketing Manager, Menlo Security, Inc.

Jay Kelley is senior product and digital marketing manager for Menlo Security, Inc., responsible for the company's social media presence, go-to-market strategy and execution, vertical market-focused materials, and marketing content development. Prior to Menlo, Jay was senior product marketing Manager for F5 Networks, responsible for integrated marketing and go-to-market strategy and execution for application access, identity & access management (IAM), and mobile products and services. Jay has more than 30 years' experience in application, network, web, and mobile security and access control, identity and access management (IAM), and enterprise mobility. Jay has spoken at numerous technology events, and is co-author of the book, "Network Access Control for Dummies", published by John Wiley & Sons in 2009.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights