Alert Stop Bad Rabbit Ransomware In Its Tracks. Learn more

Cryptomining Rules Endpoints Around Me (Get the Monero)

Server room interior in datacenter
Rick McElroy
February 28, 2018 / Rick McElroy

If you know me then you know how much I love the Wu. You also know how much I love infosec. I thought this particular topic worthy to marry the two.

The Saga Continues for the ownership of endpoints. Organizations purchase them, manage them, update, support, and protect them. However, the bad actors “own” them all the time.

In the last half of 2017, cryptojacking became popularized. This led to an eventual and predictable shift from cyber criminals not only cryptojacking, but also installing malware with the sole purpose of using an endpoint that isn’t theirs to mine cryptocurrency. It’s a smart strategy if you’re a cyber criminal. Why try and ransom someone’s system and wait for them to pay you when you can just print money?

Consider cryptojacking to be just one more illicit use of an endpoint you are supposed to control. There are a number of ways to actually do this but one of the more pervasive models comes in the form of a script created by CoinHive. If you think of the normal web-based marketing model, it serves ads on webpages to generate revenue for the site and drive customers to whomever the advertiser wants. This model, as annoying and pervasive as it is, has helped fuel the growth of the Internet. What CoinHive did was change that model. Instead of serving ads while watching content or visiting websites the script would run and use your browser as a cryptocurrency miner. This actually presents an upside and allows people who opt in to donate to charities by monetizing their CPU. Think of this as a newer version of SETI @home with a reward mechanism built in.

New On-Demand Webinar

Hunting for Enterprise Cryptocurrency Mining

Join Carbon Black’s Threat Analysis Unit for a Cb Response threat hunting demo.

Watch Now

The problem begins to show up when one looks at how easy it is to inject malicious code into websites. Cyber criminals quickly started using these types of scripts and piggybacked on existing injection techniques. This has occurred for legitimate websites as well as for malicious ones. It got so pervasive it actually started to damage people’s mobile devices.

Cryptomining malware grew from there. In January 2018, researchers identified 250 unique pieces of cryptomining malware alone. As with any other profitable malware model, the cyber criminals will continue to innovate, obfuscate, and try and evade existing endpoint prevention capabilities. The problem will persist until the model no longer becomes profitable.

Let’s take a step back to understand why this issue is becoming so pervasive. Carbon Black’s latest threat report showed the ransomware market exploding to become a $5 billion U.S. market. Ransomware is and will remain highly profitable, but there are some issues for the cyber criminals on the other end:

  • Standing up a cryptocurrency wallet takes time and most companies don’t have one. This means the criminal has to wait for payment instead of seeing an instant profit.
  • Using exchanges cost money. This comes in the form a fee. Fees vary but if you want to be profitable do you really want to pay exchange fees?
  • They have information they can leverage on previous ransom or attack campaigns and use this technique to “hit” targets multiple times in hopes of driving a higher success rate.
  • Diversification is critical for any profitable business. Like any other venture, cyber criminals want to diversify their sources of income.
  • It’s easy, it’s fast, and it’s effective.
  • You get to actually “print” money, and that’s incentive enough for most cyber criminals.


Yes, ransomware and cryptomining malware will continue to be a thing. As long as there is a profit, the cyber criminals will continue to use it as an avenue of attack. I would expect to see the same innovation and evasion we have seen from ransomware continue to evolve this next form of extortion.

Stopping this form of malware requires the same approach we’ve always taken to stop other pieces of malware. The intention of the malware may be different, but prevention, detection, and response remain the same.

To briefly some it up, cryptocurrencies are a real thing. Denying they are or saying they shouldn’t be is just a failure to face the facts. The facts remain that even Nation States are using ransomware and cryptomining malware to bypass current sanctions and diversify portfolios. Calling for a “ban” won’t help us deal with this problem today. Cyber criminals will use the easiest methods they can to generate income. This is just one more example of them doing what they have always done. Defenders must do what we have always done and adapt.




For more information on preventing cryptomining malware from stealing your endpoints’ valuable time and resources, watch the Carbon Black Threat Analysis Unit explain how to hunt for these threats using Cb Response.

Watch Now


TAGS: Cb Response / cryptocurrency / cryptomining / EDR / malware / monero / ransomware / threat hunting

Related Posts