How cryptocurrencies enable attackers and defenders


A rise in the popularity of cryptocurrency-based crime, doubled by a lack of regulation, has paved the way for cybercriminals to extort large amounts of money from legitimate organizations.

These payments have produced sophistication around non-state sponsored threat actors as they now have the funds to expand their operations and capabilities.

Security researchers estimated that the infamous Conti ransomware gang revenue has exceeded $2 billion — most of which involve cryptocurrencies. Its success has seen the group grow, so much so that it essentially has a human resources department to serve and train employees. It even pays employees and associates in digital currencies.

Defending an organization from attack is an endless game of cat and mouse, as threat actors only need to be right once, but defenders must. forever be right. However, when it comes to cryptocurrencies, the game is more nuanced than meets the eye. To understand the situation, let’s see how cryptocurrencies enable both attackers and defenders.

Keep an eye out for crypto miners

In a world where compromise is inevitable, organizations should be thankful when the target of an attack is crypto mining. In crypto mining, hackers use their victims’ computer power and electricity to fill crypto wallets, which pales in comparison to destructive targets such as ransomware.

It is difficult to determine the motivations of a hacker, but the two main intentions of a miner are the following:

  1. Mining is the secondary goal that allows for immediate monetization, while attackers move on to their primary goal, such as ransomware or data exfiltration.
  2. Mining is the primary goal, which could be a way for an ethical hacker to make money in the absence of a bounty for a bug, say, an act of Robin Hood hacktivism against corporate greed or digital squatting.

For advocates, discovering a crypto miner is almost a public service. Most organizations don’t have a legitimate reason to mine cryptocurrency, which means it’s always worth an investigation. In the first scenario, defenders have a better chance of containing the threat before it progresses to a primary objective.

Miners must regularly verify mining pools, and configuration files must be extracted with instructions, usernames, passwords, and wallet addresses. Additionally, they may cause abnormal usage statistics or a user may notice a decrease in the overall performance of the server. These are all triggers for an investigation.

Removing the miner and remediating the input method and subsequent steps leaves the organization with a better security posture after a minor incident.

The effect of cryptocurrencies on ransomware

The most common goal of hacking is the placement of ransomware. It affects business activities and requires ransom payment or incident response service to recover. The average cost of ransomware is $11,150 with a range of $70 to $1.2 millionaccording to a 2021 Verizon report.

Bitcoin is the most popular and accessible digital currency; it is easy to buy and offers a degree of anonymity. Depending on the method, setting up a Bitcoin wallet requires no personal information or identity validation, and transactions are nearly instant. These features make Bitcoin an excellent choice for threat actors looking to anonymously receive quick, large payments.

However, anonymity prevents many of these crimes from being attributed and solved. Despite this, the US Department of Justice was still able to recover the Bitcoin worth 2.3 million dollars that was paid in the attack on the Colonial Pipeline in May 2021.

There are also advances in the private sector. The total volume of cryptocurrency transactions increased 567% from 2020 to 2021, while illicit transactions increased 79% in the same period, reaching $14 billion. Of these illicit transactions, ransomware payments accounted for $602 million.

The ransomware payout figure represents the minimum value and may actually be higher. Still, the value and work put into tracking transactions offers hope that stolen funds can be identified and more recovered in the future through government cybersecurity initiatives.

The rise in the use of cryptocurrencies suggests that it is here to stay, and as adoption increases, mandates for responsible use and regulation are sure to follow.

In the case of crypto mining, the presence of cryptocurrencies helps identify compromises and offers threat actors a less destructive avenue to capitalize on their hacking efforts.

While threat hunters and actors have long played a game of cat and mouse, there seems to be a similar game going on with cryptocurrencies. What was first intended as a completely anonymized and untraceable currency, ready for abuse by criminals, has proven to be traceable and even recoverable.

A healthy debate around benefits and challenges of cryptocurrencies it is not only responsible, but essential. Cryptocurrencies appear to be here to stay and while the inherent decentralized nature must be maintained, proper regulation is crucial to limit avenues of abuse.

About the Author
Josh Davies is a product manager at Alert Logic. Formerly a security analyst and solutions architect, Davies has extensive experience working with midsize and enterprise organizations, conducting incident response and threat hunting activities as an analyst before working with organizations to identify appropriate security solutions for cloud challenges, local and hybrid environments.