They’re Drinking Your Milkshake: CTA’s Joint Analysis on Illicit Cryptocurrency Mining

In April, we blogged about CTA’s role in disrupting malicious cyber activity. We introduced the idea of routinely bringing our members together to develop Joint Analysis reports on specific threats and campaign activity, the same way our early members came together to report on the threat from Cryptowall Version 3 in 2015. Our goal with these reports is to bring our members together to focus on specific problems, share threat information, and work together to provide a complete picture for the common good.

Today, we release our next Joint Analysis, along with a Key Findings fact sheet, this time focusing on the threat of illicit cryptocurrency mining. CTA has brought together the top analysts in cybersecurity to leverage their combined resources and lay out the threat and recent trends, share insights on threat actor TTPs, describe the impact of illicit mining on enterprises and personal devices, and provide recommendations and best practices to address this issue.

CTA members are seeing an enormous increase in illicit mining activity targeting their customers. Activity has gone from a virtually non-exist issue to one that almost universally shows up at the top of our members’ threat lists. Combined data from several CTA members shows a 459 percent increase in illicit cryptocurrency mining malware detections since 2017. Recent quarterly trend reports from CTA members show that this rapid growth shows no signs of slowing down. If 2017 was defined by the threat of ransomware, 2018 has been dominated by illicit cryptocurrency mining.

For many, this may not seem like an important issue. What difference does it make if someone is stealing my computing power to mine cryptocurrencies? However, illicit mining is the “canary in the coal mine” of cybersecurity threats. If illicit cryptocurrency mining is taking place on your network, then you most likely have worse problems and we should consider the future of illicit mining as a strategic threat. More sophisticated actors could use – or may already by using – that same access to lay the groundwork for you to have a really bad day.

We encourage network defenders to make it harder for actors to install illicit miners by using the recommendations in this report, improving best practices and cyber hygiene, and employing security products from CTA members that benefit from shared information on the threat. Defenders must also improve their capability to detect instances of illicit mining and activate their incident response plans to mitigate infections that are discovered. These efforts will make it more expensive to exploit future systems, driving down the profit margins of malicious actors.

This Joint Analysis is a call to action for network defenders. CTA and network defenders have the ability to disrupt the activities of illicit miners by raising their costs and forcing them to change their behavior. Together, we can keep them from succeeding in their goals.

Analysis Blockchain crypto cryptomining crytocurrency CTA Malware

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.