{"id":21482,"date":"2018-03-07T08:54:03","date_gmt":"2018-03-07T13:54:03","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=21482"},"modified":"2019-11-15T06:40:26","modified_gmt":"2019-11-15T11:40:26","slug":"miners-threaten-your-business","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/miners-threaten-your-business\/21482\/","title":{"rendered":"How hidden mining threatens your business"},"content":{"rendered":"

Reflecting on 2017<\/a> and peering into our crystal ball for the year ahead<\/a>, we predicted that ransomware \u2014 which ran riot in 2017 \u2014 would be unseated by sophisticated new cyberthreats in the form of cryptocurrency miners. Our latest study showed<\/a> that miners have not only lived up to expectations, they\u2019ve exceeded them.<\/p>\n

Over the past six months, cybercriminals have raked in more than $7 million through injecting cryptominers. Here we explain how miners work on users\u2019 computers, why they\u2019ve become a major cyberthreat (especially for businesses), and how to protect your infrastructure against them.<\/p>\n

The rise of the miners<\/h2>\n

In 2017, when the Bitcoin and altcoin (alternative cryptocurrencies) exchange rates hit the stratosphere, it became clear that owning tokens (which can be converted into real money) is a lucrative business. An especially attractive feature of cryptocurrency economics is that, unlike with real money, anyone can create digital currency by building on the blockchain by performing mathematical calculations and getting rewarded for it (see here<\/a> for details of how the blockchain works).<\/p>\n

A general rule of mining pools (organizations that unite miners) is that the more calculations you make, the more tokens you receive. The only problem is that the more calculations you want to perform, the more computing power you need \u2014 and the more electricity you\u2019ll consume.<\/p>\n

So it wasn\u2019t long before cybercriminals hit upon the idea of using other people\u2019s computers to mine cryptocurrency \u2014 after all, it\u2019s in their DNA to exploit Internet technologies to make a fast buck. Ideally, of course, it\u2019s done so that victims\u2019 computers perform the calculations without the knowledge of their owners or administrators. For obvious reasons, cybercriminals are particularly fond of large corporate networks with hundreds of machines.<\/p>\n

And they are getting very adept at putting their schemes into practice. As we speak, more than 2.7 million users worldwide have been attacked by \u201cmalicious miners\u201d \u2014 that\u2019s 1.5 times more than in 2016 \u2014 and the number continues to climb. Let\u2019s talk a bit more about what technologies the attackers use.<\/p>\n

A hidden threat<\/h3>\n

The first method bears all the hallmarks of technologies used to carry out advanced persistent threats<\/a> (APT), which have been featured heavily in recent large-scale ransomware<\/a> campaigns. These same methods \u2014 for example, attacks using the infamous EternalBlue exploit \u2014 are now being used to distribute hidden miners.<\/p>\n

Another way to install a hidden miner on a victim\u2019s computer is to convince the user to download a dropper, which then downloads a miner<\/a>. Typically, cybercriminals lure users into downloading a dropper by masking it as an ad or a free version of a product, or through some phishing technique.<\/p>\n

After being downloaded, the dropper runs on the computer and installs the actual miner along with a special utility that hides the miner in the system. The package can include autostart and autoconfig tools that might, for example, configure how much processing power the miner is allowed to use depending on what other programs are running, so as not to cause system slowdown and arouse the user\u2019s suspicion.<\/p>\n

These tools might also prevent the user from stopping the miner. If the user detects the miner and tries to disable it, the computer will simply reboot, after which the miner will continue as before. Interestingly, most hidden miners reuse the code of their legit counterparts, which further complicates detection.<\/p>\n

There is another way to mine tokens illegally: Web mining<\/a>, or mining from the browser. This is made possible by a site administrator embedding a mining script that runs in the browser when a victim visits the site. It can also be done by an attacker who has gained site administration access. While the user is on the site, their computer builds blocks (from which the criminal behind the script profits).<\/p>\n

\u00a0<\/p>\n

How can businesses protect devices from miners?<\/h3>\n

\u00a0<\/p>\n

Today\u2019s sophisticated attack technologies and complexities of detection have enabled cybercriminals to create entire botnets<\/a> from victims\u2019 computers and use them for hidden mining. Needless to say, a business infrastructure with large processing capacity is a juicy target for cybercrooks. Your company\u2019s devices might be at risk as well. Therefore, we recommend implementing the following measures to protect your business:<\/p>\n