Ransomware is so 2017, it's all cryptomining now among the script kiddies

Plus: Hackers take crack at cloud, phones come pre-pwned, malware's going multi-plat

By John Leyden


The number of organisations affected by cryptomining malware in the first half of 2018 ramped up to 42 per cent, compared to 20.5 per cent in the second half of 2017, according to a new report from Check Point.

The top three most common malware variants seen in the first half of 2018 were all cryptominers: Coinhive (25 per cent); Cryptoloot (18 per cent); and JSEcoin (14 per cent). All three perform online mining of the cryptocurrency – often without a user's knowledge, much less consent – when a surfer visits a web page that harbours cryptomining code.

Locky was the leading ransomware variant hitting organisations globally in the first six months of 2018, ahead of WannaCry and Globeimposter. Locky spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment. WannaCry used a Windows SMB exploit called EternalBlue to spread while Globeimposter is distributed by spam campaigns, malvertising and exploit kits.

Cloud infrastructures appeared to be a growing target among hackers during the first six months of this year. Check Point further noted an increase in the number of malware variants targeting multiple platforms (mobile, cloud, desktop etc).

"Up until the end of 2017, multi-platform malware was witnessed in only a handful of occasions," the security researchers said, "but, as predicted, the rise in the number of consumer-connected devices and the growing market share of operating systems which are not Windows has led to an increase in cross-platform malware. Campaign operators implement various techniques in order to take control over the campaigns' different infected platforms."

There were several incidences of mobile malware that originated from the supply chain. Infected devices are being sold to consumers so that new Android smartphones come pre-pwned with malicious code. Mobile malware is increasingly disguised as genuine applications on app stores. These nasties include banking trojans, adware and sophisticated remote access trojans (RATs), Check Point added.

Check Point's Cyber Attack Trends: 2018 Mid-Year Report is based on threat data collected between January and June 2018. ®

Updated to add

Matthew Vallis, chief strategy officer for JSEcoin, has been in touch to say the aforementioned mining software is not malicious, although we note antivirus and browser-blocker makers tend to label it as malware.

"JSEcoin is an opt-in-only ethically run system, which uses excess resources," Vallis told us. "The concept is to improve the user experience by allowing a webmaster to run a script instead of annoying adverts.

"The script uses less CPU than a typical advert. We are run ethically, and comparisons to malware such as Coinhive are totally incorrect."

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

When you think how infamous NHS-pwning malware's still hitting the unwary, it'll make you WannaCry – Kaspersky

Ransomware strain was top customer call-out title in 2018

Kaspersky Lab takes bite out of Apple in Russia over borked parental controls app

Store policy removed key features, alleges complaint

Revealed: Numbers show extent of security fears about security biz Kaspersky Lab

Global sales up 4% but North America element down 25%

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Disgraced ex-Kaspersky guy made me do it, says bloke in Russian court on hacking charges

Oh no I didn't, says disgraced ex-Kaspersky guy

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

Labs are for nerds, it's simply Kaspersky now – just hold still while we cyber-immunise you

Logowatch Inoffensive, nondescript logo screams 'building a safer world'

Taj Mahal and SneakyPastes: Kaspersky reveals pair of attacks menacing Asia, Middle East

Fresh round of targeted operations unearthed

Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not

Over two-thirds of attacks Russian biz spied targeted venerable Microsoft suite

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data