Report Finds Cryptojacking Instances Jumped 400% In A Year

Instances of cryptojacking malware have jumped more than 400 percent since last year, a new report finds.

A collaborative group of cybersecurity researchers called the Cyber Threat Alliance (CTA) published the report Wednesday, detailing the various and repercussions from cryptojacking – the illicit practice of hijacking a user's computer to mine cryptocurrencies.

Most notably, CTA points out in the research that the number of instances of illicit mining malware found has sharply spiked in the months from the close of 2017 to end of July 2018.

The report states:

"Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017, and recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down."

In the key findings document, the alliance points to a particular exploit that has been plaguing the security world for over a year, Eternalblue, as one of the leading causes.

Eternalblue is the infamous NSA exploit that was used in the Wannacry ransomware and NotPetya attacks.

The CTA's analysis explains that a number of Windows operating systems remain vulnerable to the bug, despite a patch released by Microsoft. As such, these systems run a vulnerable network file sharing protocol dubbed SMB1.

Malicious actors target these susceptible machines for their processing power, which even simple cryptojacking software can hijack.

In fact, these actors have even begun repurposing existing software to specifically mine cryptocurrencies, the report said, explaining:

"Researchers noted in February 2018 that the BlackRuby Ransomware family began 'double dipping' by adding the open-source XMRig software to their tools to mine Monero. The VenusLocker Ransomware family completely shifted gears, dropping ransomware for Monero mining. The Mirai botnet, notable for its 2016 DDoS attack that used IoT devices to impact substantial portions of U.S. internet services, has since been repurposed into an IoT-mining botnet."

Further, by decreasing the mining rate, the malware can easily and cheaply be scaled across a network in large organizations and persist on the host computer for a longer time, resulting in a larger pay-out.

Palo Alto Networks, one the partners in the alliance, found that Coinhive dominates in terms of software used by malicious actors, with some 23,000 websites containing Coinhive source code.

Moreover, the group of security firms has noticed that malicious actors are shifting their focus from traditional systems and personal computers to Internet-of-Things devices like smart TVs.

The CTA also stressed that the presence of cryptojacking malware may just be an indicator of how insecure a system is, saying, "if miners can gain access to use the processing power of your networks, then you can be assured that more sophisticated actors may already have access."

Mining image via Shutterstock