How profitable is crypto-mining malware?

Max Heinemeyer, Director of Threat Hunting | Monday April 16, 2018

One of the top malware trends in recent months has been the stellar growth of crypto-mining malware. Of the various crypto-currencies, the most prominent malware used for illegal mining activities is Monero, a crypto-currency that can be profitably mined on commodity hardware such as laptops and workstations. Moreover, a related trend observed recently is that of laterally moving malware which, as its name suggests, moves between devices to execute its payloads in a variety of different ways. This malware, used in attacks such as WannaCry, NotPetya and BadRabbit, uses techniques such as encrypting hard drives with ransomware while also deploying Monero miners.

As Darktrace regularly detects crypto-mining attempts the moment they occur on a network, we can estimate the cash flow stream a cyber-criminal earned on a laterally moving Monero-miner infection that Darktrace identified.

How it began

Last month, a customer’s device – which we will call patient zero – became infected with a Monero-miner. After a short time, patient zero started looking for accessible SMB drives by scanning the internal network for devices on port 445. As the device had not conducted any network scanning activity in the past, Darktrace flagged the process as an unusual network scan and an anomalous SMB enumeration:

The network scan (device names are redacted)

Once patient zero identified accessible IPC$, ADMIN$ or C$ SMB drives, it transferred an executable to the drive. After the file transfer, the malware used PsExec to connect to the device and execute the malicious software. As patient zero had not made any SMB drive writes and had not used PsExec in this fashion before, alerts were raised immediately:

Lateral movement (device names are redacted)

Spread and containment

The now-infected device started mining Monero and attempted to communicate over Tor2Web with Command & Control (C2) servers:

C2 traffic (device names are redacted)

Using Darktrace, the security team identified the infection within minutes and assessed the complete extent of the infection in less than an hour. Within three hours from initial detection, the security team had run a clean-up script on their network which stopped the spread.

Revenue estimates

We have estimated the hypothetical revenue for this particular attack. To make the mining less detectable, some of the current Monero-mining malware applies restrictions to both the number of threads that can be used and the maximum CPU usage capacity. As a result, we have estimated the figures below on a worst-case scenario basis.

We know that 300 machines were infected and that the Monero miners were running for around 4 hours.

Mining profitability is commonly measured in the amount of hashes calculated per second per CPU core or GPU. This number, known as hashes per second (H/S), can differ based on the hardware used. A common number on the lower end of the scale for H/S on a single CPU is 20 H/S for the CryptoNight algorithm used to mine Monero.

GPUs, being more efficient for the CryptoNight algorithm, can yield 2-3x the H/S rate of CPUs and beyond. Keeping with a worst-case scenario basis, we will assume all infected devices had only 2 CPU cores and no GPUs, meaning a single infected machine yielded 40 H/S. This leads us to the following calculation: 300 infected devices x 40 H/S = 12000 H/S.

A Monero-mining revenue calculation tool produced the following results: with a Monero price of $202.43 at the time of infection (disregarding electricity costs), the criminal would have earned roughly $15.85 in 24h. As the miners only ran for around 4 hours, the resulting revenue would have only been $2.64. So how is this profitable?

It’s a numbers game

Cryptocurrency-mining operations are designed to last for months, not hours. If this infection had gone undetected, the criminal would have earned $15.85 per day, or $475.62 per month. Furthermore, victims with larger networks are much less likely to notice the infection. As attacks spreading this kind of malware are often indiscriminate in nature, they will often hit thousands of organizations at the same time, giving them the capacity to generate much more than just half a dollar.

Blog Archive

Thursday January 10, 2019
Monday December 3, 2018
Thursday November 22, 2018
Thursday October 25, 2018
Thursday October 4, 2018
Monday August 20, 2018
Monday July 16, 2018
Friday June 22, 2018
Wednesday May 9, 2018
Monday April 16, 2018
Wednesday March 7, 2018
Tuesday February 13, 2018
Friday February 2, 2018
Monday January 22, 2018
Friday December 8, 2017
Monday November 27, 2017
Monday October 30, 2017
Wednesday October 25, 2017
Thursday October 12, 2017
Monday October 2, 2017
Monday September 18, 2017
Monday July 31, 2017
Thursday June 29, 2017
Wednesday June 21, 2017
Wednesday May 17, 2017
Monday May 8, 2017
Wednesday April 5, 2017
Monday March 6, 2017
Monday February 13, 2017
Monday January 30, 2017
Monday January 9, 2017
Friday December 16, 2016
Monday December 5, 2016
Friday November 18, 2016
Friday November 4, 2016
Monday October 24, 2016

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.