Are the hackers who’ll target your business after a quick payout or playing the long game?
That might determine whether you’re at greater risk from ransomware or cryptojacking — either way, you’re probably not ready.
The new 2018 Data Breach Investigations Report from Verizon found that businesses are still not investing in appropriate security strategies to combat ransomware, which has been a central threat over the past year.
Colorado Springs experts agree, but they wave another warning flag: Cryptojacking is booming — even overtaking ransomware — and businesses aren’t shielded from that either.
Cryptojacking is a term for the use of cryptomining malware, or illicit cryptomining, which Forbes calls “the top cyberthreat of 2018” and Malwarebytes breaks down in its State of Malware Report:
“Alongside a sudden cryptocurrency craze, bad actors have started utilizing cryptomining tools for their own profit, using victim system resources in the process. This includes compromised websites serving drive-by mining code, a significant increase of miners through malicious spam and exploit kit drops, and adware bundlers pushing miners instead of toolbars. By the end of 2017, basically anyone doing any kind of cybercrime was also likely dabbling in cryptomining.”
In short, cybercriminals are secretly hijacking their victims’ computers, stealing computer power to mine for digital currencies.
Mining for cryptocurrencies is a notoriously energy-hungry process, sucking up vast amounts of computational power to verify transactions. If a hacker can use your computer’s power to mine digital coins, instead of theirs, the payout can be handsome.
“If the cryptomining software can get installed on the victim’s infrastructure, it will likely go on undetected for long periods of time,” MainNerve Cyber Security Engineer Steve Schwarzrock said in an email. “Cryptomining is an expensive operation in terms of the impact it can have on how efficient the victim’s infrastructure will run (which can then degrade business operations) as well as the increased utilities bills to run the systems as they mine for the currency. All of these costs are absorbed, often unknowingly, by the victim.
“When a new coin is found, the attacker gets it — as of April 20, a single Bitcoin is worth about $8,500 USD.”
Schwarzrock said for the attacker, cryptomining is about the long game. Shawn Murray agrees.
“The idea of making money for minimal effort is the goal,” said Murray, president and chief academic officer for Murray Security Services. “If an attacker can steal a miner’s crypto currency process or capability, then this meets the goal.
“GhostMiner is one of the latest and most unique, as it erases its tracks — which makes it very difficult to trace or track.”
But back to ransomware…
The 2018 DBIR focuses heavily on ransomware, finding it overtook all other types of malicious code in the 2017 dataset.
Schwarzrock said both ransomware and cryptomining will be threats for the foreseeable future, but for different reasons.
“Attackers like ransomware because it’s a proven quick method of being reasonably successful [in] obtaining money while being largely untraceable, due to most ransom demands requiring cryptocurrency as payment,” he said.
Murray said businesses are still lagging in their defenses against ransomware because they don’t understand the problem or the potentially catastrophic consequences.
“Not having a strategy can be very costly — up to and including going out of business,” he said. “The strategy does not have to be complex. It can be as easy as having a backup of your critical data and software applications so that if a breach occurs, then you just rebuild those systems to get back up.”
Organizations should work out the likelihood of being hit with a ransomware attack based on their industry, he said, as well as the impact on their operations, if it happens. Getting a handle on that means the business can decide recovery time and recovery point objectives based on risk tolerance.
“All of this information should be part of their business continuity and disaster recovery plan,” Murray said. “This all sounds simple, but the fact is that most businesses — especially small businesses — are focused on keeping the doors open and making money. These businesses focus on minimizing disruption based on things that they know and understand and can control. I’ve had conversations with owners and this is the general feedback I get.”
Too expensive, too hard
Schwarzrock said because cybersecurity generates no revenue, “there is minimal incentive to invest large amounts of capital into protecting against an event that may never affect the company.
“Some companies are still of the old school mentality where if they have a decent firewall on the edge of their network, they feel that they are protected and don’t think about designing a defensive, in-depth security posture,” he added.
Before the WannaCry ransomware worm of 2017, Schwarzrock said, it wasn’t uncommon for MainNerve engineers to see companies running servers that were missing the latest operating system patches or even running operating systems that are no longer supported — meaning there are no more security patches being issued for that particular operating system.
Since WannaCry, they’ve generally seen companies remove or upgrade the unsupported operating systems from their networks and be more active in keeping up to date with the latest patches.
Good cybersecurity is still a challenge, especially for smaller businesses — in fact, the DBIR found 58 percent of data breach victims are small businesses.
“One of the additional issues facing small to medium-sized businesses is that cybersecurity issues seem to be everywhere,” Murray said. “It is difficult to understand where to focus first and there are too many companies trying to sell cybersecurity services at a cost that may seem unreasonable.”
It comes down to resources, Schwarzrock said.
“Smaller companies are less likely to invest in products to help protect their IT infrastructure from all types of attacks,” he said. And once a breach is discovered, “while companies would love to find out who did the attack and aid in prosecution, they may not have individuals who can execute a proper incident response on staff to preserve the evidence for investigators.”
They’re also under pressure to get the affected systems back in operation as quickly as possible, even if it means paying the ransom.
Show me the money
Ransomware is obviously deployed for payouts, but for hackers there’s no one calculation on who’s best to attack, Murray said.
“There are more smaller businesses than there are large ones, so this is a strategy for some attackers,” he said. “If you read the blogs in the Dark Web though, an attacker going after smaller businesses has a lot more work to do because of [how little] the small business can afford to pay out in ransom. Less ransom means more attacks on more victims to be able to get a decent payday.”
But a medium to large business can pay more, depending on the data or systems being held for ransom.
“If the data or information is critical to their operations or — as is the case of some health care facilities and hospitals — critical to life and safety of patients, then the threat becomes very real and the payout more likely,” Murray said.
The DBIR runs 68 pages, so Murray listed some takeaways for businesses:
• Switch from single-factor to multi-factor authentication.
• Work out a patch management strategy.
• Be vigilant about phishing — it’s still the easiest way for hackers to introduce malware.
• Establish better vetting for privileged users like system administrators, network administrators and software developers — privileged users (or insiders) still represent “a huge threat.”