How cryptocurrencies enable attackers and defenders
Threat actors use cryptocurrencies for their anonymity, but they're not as impenetrable as once thought. Discover how cryptocurrencies can help attackers and defenders alike.
A rise in the popularity of cryptocurrency-based crime, doubled with a lack of regulation, has paved the way for cybercriminals to extort vast amounts of money from legitimate organizations.
These payouts have produced a sophistication around nonstate-sponsored threat actors, as they now have the funds to expand their operations and capabilities.
Security researchers estimated that the infamous Conti ransomware gang's revenue has surpassed $2 billion -- most of which involved cryptocurrencies. Its success has seen the group grow, so much that it essentially has an HR department to serve and train employees. It even pays employees and associates in digital currencies.
Defending an organization from attacks is an endless game of cat and mouse, as threat actors only need to be right once, but defenders must always be right. When it comes to cryptocurrencies, however, the game is more nuanced than it sounds. To understand the situation, let's look at how cryptocurrencies enable both attackers and defenders.
Keep an eye out for cryptominers
In a world where compromise is inevitable, organizations should be grateful when the objective of an attack is cryptomining. In cryptomining, hackers use their victims' computer power and electricity to fill cryptowallets, which pales in comparison to destructive objectives, such as ransomware.
It's tricky to ascertain a hacker's motivations, but a miner's two primary intentions are the following:
- Mining is the secondary objective that enables an immediate monetization, while attackers advance to their primary objective, such as ransomware or data exfiltration.
- Mining is the primary objective, which could be a way for an ethical hacker to get money in the absence of a bug bounty, for example, an act of Robin Hood hacktivism against corporate greed or digital squatting.
For defenders, discovering a cryptominer is almost a public service. Most organizations have no legitimate reason to mine cryptocurrencies, meaning it always warrants investigation. In the first scenario, defenders have an increased chance of containing the threat before it progresses to a primary objective.
Miners need to regularly check into mining pools, and configuration files need to be pulled containing instructions, usernames, passwords and wallet addresses. Also, they may cause anomalous usage statistics, or a user may notice a decrease in overall server performance. All of these are triggers for an investigation.
Removing the miner and remediating the method of entry and subsequent steps leave an organization with a better security posture after a minor incident.
Cryptocurrencies' effect on ransomware
The most common objective of hacking is the placement of ransomware. It affects business activities and requires a ransom payment or incident response service to recover. The median cost of ransomware is $11,150 with a range of $70 to $1.2 million, according to a 2021 Verizon report.
Bitcoin is the most popular and accessible digital currency; it's easy to purchase and offers a degree of anonymity. Depending on the method, setting up a Bitcoin wallet requires no personal information or identity validation, and transactions are near-instantaneous. These features make Bitcoin an excellent option for threat actors looking to anonymously receive speedy payments of large sums.
Anonymity prevents many of these crimes from being attributed and resolved, however. Despite this, the U.S. Department of Justice was still able to retrieve the $2.3 million worth of bitcoin that was paid in the Colonial Pipeline attack in May 2021.
There is progress in the private sector, too. The total volume of cryptocurrency transactions increased 567% from 2020 to 2021, while illicit transactions increased by 79% in the same period, accounting for $14 billion. Of these illicit transactions, payments from ransomware accounted for $602 million.
The figure for ransomware payments represents the minimum value and, in actuality, may be higher. Still, the value and work done tracking transactions offer hope that stolen funds can be identified, and more may be recovered in the future by government cybersecurity initiatives.
The rise in cryptocurrency usage suggests it's here to stay, and as adoption increases, mandates for responsible use and regulation are sure to follow.
In the case of cryptomining, the presence of cryptocurrencies helps identify compromise and offers threat actors a less destructive avenue for capitalizing on their hacking endeavors.
While threat hunters and actors have long played a game of cat and mouse, there appears to be a similar game going on with cryptocurrencies. What was first purported as a completely anonymized, untraceable currency, ripe for abuse by criminals, has proven to be traceable and even reclaimable.
A healthy debate around the benefits and challenges of cryptocurrencies is not only responsible, but essential. Cryptocurrencies appear to be here to stay, and while the inherent decentralized nature should be maintained, appropriate regulation is crucial to limit avenues for abuse.
About the author
Josh Davies is a product manager at Alert Logic. Formerly a security analyst and solutions architect, Davies has extensive experience working with midmarket and enterprise organizations, conducting incident response and threat hunting activities as an analyst before working with organizations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.