enSilo CEO Roy Katmor and CTO Udi Yavo delivered an in-depth presentation at RSA Conference 2019 called “The New Gold Rush: How to Hack Your Own Best Mining Rig”. The session addressed the state of cryptominers versus ransomware, how to build a stealthy and well-distributed miner, and several miner detection methods. Also, the team unveiled Mine Sweeper, a new miner detection tool.
Cryptomining is big business and far exceeds the potential financial gain from launching ransomware attacks. According to news reports in 2018, a single hacker has the potential to make $100M a year with a malicious cryptominer. By comparison, the Petya ransomware grossed $132K in roughly six weeks which translates into just over $1M in one year.
Miners have several advantages over ransomware. One significant advantage is the greater likelihood of receiving a payout. Ransomware payouts rely on the victim paying the ransom which is less than guaranteed. A payout from a miner is more of a function of the quality, ability, and stealthiness of the rig combined with the number of successful infections. Another advantage is that miners operate covertly and for long periods so they can harvest as much compute power as possible and increases the odds of a payout. Encrypting an endpoint and flashing a ransom note, while effective in getting the users attention, is anything but covert and has a lower probability of receiving a payout. According to Roy Katmor, enSilo CEO and Co-founder, “DarkGate Malware is an awesome example of a smart and stealthy cryptomining malware. It's a full Swiss Army knife. If you find it and stop the miner, it will just ransom your device."
When building a miner attackers need to optimize for three things: the type of coin, stealth capabilities, and distribution methods. Mining for Monero offers several advantages over other coins including anonymity and more effective use of the CPU. Also, there are several open-source Monero mining tools available. There are several ways to achieve stealth including altering the source code to avoid detection, building a new packer and executing the payload only in memory. Creating the payload using Python offers additional stealth capabilities such as encryption and persistency. When it comes to distribution, the most straightforward, most common and effective path is an email phishing attack. According to Udi Yavo, enSilo CTO and Co-founder “Building a stealthy and evasive miner with strong distribution capabilities isn't that complicated. That's why there is a high ROI."
For miners to be productive, they need to harness massive amounts of compute resources. Therefore, a predictor of mining activity is a persistent increase in CPU utilization. As part of the presentation for RSA Conference 2019, enSilo produced a new detection method called Mine Sweeper. Mine Sweeper uses WMI, Windows Management Instrumentation, to monitor performance counters to detect indicators of cryptomining activity.
The number of infections from cryptominers surpassed those from ransomware in 2018. While the closing of the popular mining website Coinhive may signal a decline in the popularity of mining, research by enSilo suggests the opposite. Miners are relatively easy to build, distribute and can evade detection such that mining is more likely to only increase in popularity as long as crypto currencies maintain high value.