I have been watching for the spread of malware that, primarily, uses compromised systems to mine Bitcoin and other cryptocurrencies since Twistlock Labs presented on attackers injecting miners into containerized systems at DockerCon last year. It appears that time is now:

The first virus that I ever saw in the wild was Stoned.B in 1992. It was annoying but essentially pointless. Much of the malware that followed through the 90s and the early 00s, such as Code Red and Melissa, was similar. While they were often damaging, they did not gain their authors much.

This changed as attackers started to find strategies for monetizing the successes they had in spreading malware. Some of the first large monetization schemes created botnets, or groups of infected machines, that could be rented to deliver spam or generate huge amounts of traffic for denials of service attacks. Another scheme that was popular was rogue antivirus schemes where malware would show fake warnings indicating that a user’s computer was otherwise compromised and offering to sell them software to clean & protect their computer from the made-up threats.

Cryptocurrency Changed The Game

The widespread availability of Bitcoin allowed attackers to become bolder and to operate on a larger scale. The first major ransomware family to use Bitcoin, CryptoLocker, was very successful and led to a proliferation of other ransomware families.

I saw a lot of evolutionary pressure in ransomware, with each family investing a great deal of effort to stay ahead of detection and, probably more importantly, to make sure that compromised users were able to pay for decryption of their files. For example, the first version of CryptoLocker didn’t display a ransom demand until it finished encrypting all the files, a process that could take many hours. If the encryption was interrupted — if the user rebooted their computer, for example, or if their antimalware solution detected CryptoLocker while it was running — the user never received the information necessary to buy the key to decrypt their documents. Later iterations of ransomware make absolutely sure that the user knows how to pay for the key. They will write out files with instructions in every folder that they encrypt documents in, change the desktop background, and, in one case, even use the Windows Speech API to speak aloud a message explaining what has happened.

Because of the investment, malware that directly mines cryptocurrency seems like the next logical step and it appears that, in the last several weeks, many malware families have pivoted to use compromised computers to do just that. Attackers are moving to code that uses available resources to monetize the compromises without the troubling overhead of collecting ransoms & managing decryption keys. They are also moving to exceptionally portable code — in one case, mining malware was even found running on a network printer!

The good news is that Twistlock already has specific compliance and runtime protections to help find and prevent potential cryptomining malware in protected environments alongside important defense-in-depth capabilities that detect & protect against known & unknown threats.

Want more? A deep dive into Twistlock Labs research on cryptominers in containerized environments is coming next week.

← Back to All Posts Next Post →