When unauthorized software found its way onto the network of a small Tennessee hospital, the culprits didn’t ask for ransom. They didn’t steal records. What they did was silently harness computing power for a money-making task.
The task was to “mine” digital currency, and the culprits did it by yoking together a quiet army of infected computers to generate a stream of money.
It is a trend that coincides with the dizzying trajectory of many digital currencies, which skyrocketed in 2017, dipped early this year and recovered in the past several days.
Cybersecurity experts call it “cryptojacking” — hijacking computers to produce digital currency, like Bitcoin, Litecoin and Monero that have been in the news.
Infected networks or computers perform double duty, conducting normal functions (perhaps a bit more slowly) while also obeying remote commands to do calculations that generate digital currency for the criminals, or wrongdoers, who may be company insiders.
Up to 24,000 patients of the Decatur County General Hospital in Parsons, Tennessee, were notified in a Jan. 24 letter from the hospital that a server had been compromised, the HIPAA Journal reported Thursday.
“The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency,’” the hospital told patients, adding that it had no indication that intruders sought patient data like Social Security numbers or clinical and insurance information.
An Israeli firm, Radiflow, reported this week that a large European wastewater site had five of its servers infected by “cryptojacking” malware.
Radiflow’s chief executive, Ilan Barda, said in a telephone interview that regulators asked him not to identify the country where the infection occurred although he called it “quite a modern one.”
Unfortunately, it’s spreading quite widely.
Ilan Barda, chief executive of Radiflow
“Unfortunately, it’s spreading quite widely,” Barda said of the infection. “There are reports now of Android devices being infected and reports of home devices and enterprise devices (being infected).”
The ransomware attacks that spread around the world last year, in which malicious code would encrypt hard drives and flash a message on the screen demanding payment to decrypt files, have ebbed.
“We’ve seen a big drop-off in those attacks and the same mechanisms that were delivering those attacks in the past now install these crypto-miners instead,” said Ryan Olson, director of threat intelligence for Palo Alto Networks, a Reston, Virginia, cybersecurity firm
The earnings from an infected computer might seem marginal. Cisco Talos, a threat intelligence firm, calculated last week that an average computer might earn only the equivalent of 25 cents a day. But experts say it’s a volume business.
If 2,000 computers are harnessed together in an unseen network, it “could generate $500 per day or $182,500 per year,” the company said in a posting. “Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically.”
Palo Alto Networks estimated in a posting Jan. 24 that at least 15 million computers had been conscripted into crypto-mining operations worldwide, most heavily in Asia.
You are taking resources from the company you work for.
Richard Ford, chief scientist at Forcepoint
“It’s entirely possible for an employee … who’s got a server sitting around to go, ‘Oh, I can make some money on the side, even if it’s only 100 bucks or a couple hundred bucks a week or a month by having this running in the background, and I’m not really hurting anyone.’ Of course, you are. You are taking resources from the company you work for,” Ford said.
In its letter, the Tennessee hospital was careful not to blame an outside criminal group, saying only that unauthorized crypto-mining software had been introduced to its server.
In the networks used by cryptocurrencies, miners solve mathematical puzzles as a way to confirm transactions. They obtain new cryptocurrency as a reward. Specialized processor farms have been set up in some countries to mine bitcoin, but other digital currencies can still be mined on small computers, or even handheld phones.
Infected computers and networks can slow down as their processors are forced into great activity. Hackers are not necessarily looking for powerful computers, experts said.
You make it up in numbers. You don’t need the fastest computer.
Richard Ford of Forcepoint
“You make it up in numbers,” Ford said. “You don’t need the fastest computer.”
In the variant that Palo Alto Networks tracked, the malware was used to mine only a newer digital currency, Monero, which has won favor with criminal groups.
“Monero is one of the few coins that is really private, it’s really anonymous when you transfer it,” Olson said, adding that the distributed way that bitcoin is traded means that “everyone can see which wallet transfers how much currency to another wallet.”
Delays in completing payments and high processing fees are other reasons that criminals now favor digital currencies other than Bitcoin, the Recorded Future cybersecurity firm said Thursday in a blog post.
It is not only malicious worms that can force computers to mine cryptocurrencies. Websites can also contain code that sets visiting browsers to temporarily conduct mining operations.
“This has happened to a lot of people. They visit a website, they are looking at it, and all of a sudden, the fan on their laptop turns to high speed mode,” Olson said, “and it’s like, ‘What is going on?’ … Maybe it’s mining cryptocurrency.”