This presentation will cover the basic building blocks of cryptocurrency, how mining works, and why cryptomining is profitable. Brady Sullivan, Solutions Engineer from Anomali, discusses why threat actors are moving to include cryptominers in malware instead of one-and-done payloads like ransomware.
My name is Brady Sullivan.
I'm a solutions engineer at Anomali.
I used to work on the threat intelligence team, but now I'm primarily focused on engineering.
Today, we're going to talk about the rise of malicious mining for cryptocurrency.
So to begin with, I'm going to introduce you guys to how cryptocurrency works.
Hopefully, that's interesting to some of you guys.
Some of you might already know how it works.
Hopefully, this talk has stood out to you, because you think cryptocurrency is intriguing.
So I'll be talking about how blockchain works and how mining pools are used.
Then I'm going to talk about the shift from ransomware to cryptomining and finish out with legitimate applications of cryptomining and mitigation strategies.
So myself-- yup, solutions engineer.
I work on the Modern Honey Network project that Anomali started.
It's an open source project to host and run honeypot servers and collect information from them.
It's easy to install, works most of the time.
But I'm always online to answer questions or help you guys get installed if you're interested in honeypots.
I got started at hackthissite.org when I was a kid.
I don't know if you guys are familiar with it, but I think it's a great site to at least get started and get to know the community.
And then Portland State University, where I got my bachelors science and computer science, great school.
And I'm always a cryptography enthusiast.
So if you guys want to talk about cryptography at any time afterwards, let me know.
I'm always down to chat.
So to start with-- big three, Bitcoin, Ethereum, Monero.
Bitcoin was the original cryptocurrency.
It started off with a white paper by Satoshi Nakamoto.
Of course, nobody knows really who he is.
And it just kicked off this huge boom of modern cryptocurrency.
So back in 2009, Bitcoin was launched.
Ethereum launched in 2013.
That introduced a lot of new features like smart contracts, different applications, like different use cases for cryptocurrency.
And it also introduced tokens and all sorts of neat features.
And then in 2014, we got Monero, which is a privacy focused cryptocurrency that tries to anonymize transactions better, anonymizes people better.
Whereas Bitcoin everything's traceable back to your address, Monero makes that much more difficult.
So if you send money to someone on Monero, you're not supposed to be able to figure out who sent it.
So that was a very neat feature introduced in Monero that made it become one of these major players on the market.
Here's a quick graph.
For those who aren't familiar with Bitcoin, you might find this interesting.
But if you are, you've seen this before.
It started out way low.
And you know, over the course of a single year it grew 100-fold in price.
That was an exciting year for those of us who had some Bitcoin and depressing for those of us who used to have some Bitcoin.
I played with Bitcoin back in 2009 when it started when I was in high school.
I was just messing around with it.
And you know, it wasn't worth anything back then.
I might have had 50 Bitcoin from just playing around, might not have.
But I sure don't anymore.
Otherwise, I wouldn't be here.
But, yeah, it's been exciting.
This graph is a little old, but, you know, it displays how much the market has changed, how much interest has changed in cryptocurrencies over the last couple of years for sure.
All right, to start it all off with, we got blockchain.
What is it?
It's a distributed ledger.
It's what makes cryptocurrencies possible.
The distributed ledger basically means we're tracking everyone's account balance over a p2p network.
So instead of just relying on a single bank to keep track of all of your account information and all of your account balances, it's spread across hundreds of thousands of nodes.
And then they use a consensus algorithm to come to the conclusion, no, you own this much.
So a single person can't change just one value on their node to like try and game the system.
They have to actually change of Bitcoins, nodes, which is important.
And, of course, each transaction is cryptographically secured when it's added to the blockchain using both proof of work and cryptographic primitives, which I'll talk about shortly.
So, of course, with a blockchain, that kind of implies that you have several blocks.
And so a block is a batch of validated transactions.
This is literally the building blocks of a blockchain.
A single block would be a batch of valid transactions saying, you know, these 10 people sent these other 10 people these amounts of money.
And so we log that down into a single block.
It's cryptographically hashed so that, if it changes, the hash will change, and we would know.
It's not technically signed.
But when the data is added, it can't change without people noticing.
And we end up building something called a Merkle tree.
So up next, I will give a short demo on exactly how all of this works.
So a cryptographic hash takes data and outputs a hash, which is a single string.
And the important thing here is that it doesn't matter what we put in.
The result is unpredictable.
It's not random.
It's repeatable, which is important.
You will always get the same output with the same input.
And that doesn't matter who's doing it.
If you're following this algorithm, you will get the exact same output.
But the most important thing is it's repeatable, and it's unpredictable.
And whenever we change anything-- say we have a typo-- the output changes completely in an unpredictable manner.
And so this allows us to make certain conclusions about the data.
If we're always entering the exact same thing, we'll always get the same thing out.
And if anything changes, we will know, because it'll be completely different output.
And, of course, using that data or this information, we can build something called a block.
So let's say we're going to detect '17, which was last year.
We do what's called the mining process.
And it basically hashes all of the data together to come out with a conclusion that starts with several zeros.
And the reason this is important is because it's difficult to randomly get this many zeros in a row.
And this is part of the proof of work.
You have to prove you've worked this hard to get this many zeros to start with.
And this hash means this data will-- well, this is all the data that we started with.
And we will always get this hash.
So if something changes, like, oh, now we're going to detect '18, this hash changed completely.
It doesn't start with four zeros anymore.
It's completely different.
So in order to prove this is the data we have, we can mine it, do more proof of work.
And shortly here, we'll get a new hash that starts with four zeros.
The rest of it is completely random still or completely different.
But we know that, you know, after proving that we've worked on this, we've got this new data that's cryptographically secure.
And using this, we'll be able to blockchain.
So we've got all these blocks that you're used to.
And if we change anything, the chain breaks.
And so starting from the beginning of Bitcoin, we had a valid chain.
And everyone agrees that it's valid all the way to the end.
But if someone along the lines decides to try and change it, everyone's going to know that they broke something.
And that's important, because you don't want to be able to say, oh, I totally had 100 Bitcoin back here.
You know, everybody's going to know you're lying, because the math doesn't add up.
And it breaks the whole chain.
So let's go back to this.
So that's just a really quick technical rundown of a blockchain.
So, now, I wanted to talk about mining pools, because they're also fairly important in today's cryptocurrency mining landscape.
When you're doing proof of work, it means your computer's running.
It's just constantly making computations.
And Bitcoin was designed to process a transaction approximately every 10 minutes globally.
So as more and more people use Bitcoin, the less likely you are to actually mine that Bitcoin block and get the Bitcoin from that process.
So people have created what's called pool.
And basically, you share your resources.
So if you've got 10 people working on this problem, your chances of actually solving the problem are better.
And when you do solve it, you just share the bounty.
And the actual sections in the pie chart aren't important, but the important part is, you know, the chances of you actually making money from mining Bitcoin nowadays is very small unless you join a pool.
And then you can share the bounty if your group happens to mine Bitcoin.
Also, I thought it would be interesting to add in the amount of electricity used from Bitcoin with all the computers running Bitcoin miners.
I originally gave this talk for an energy ISAC.
So I thought this was especially important, but figured you guys might find it interesting, too.
So, right now, the current estimated consumption of the whole Bitcoin network is 73 terawatt hours, which is insane.
The closest country in the world in terms of energy consumption is Austria.
So right now Bitcoin uses more energy than the country of Austria.
The annual carbon emission of the Bitcoin network is, well, close to And each transaction you make using Bitcoin uses up 437 kilograms of CO2.
So it's definitely not a green technology.
So here's a few graphs.
Bitcoin's right in the middle.
You can see that Czech Republic is on the low end.
You've got Finland up here.
And, of course, Austria's right next to Bitcoin as the nearest country in terms of energy consumption.
So this is a percentage that could be powered by Bitcoin.
So you could power more than one Czech Republic with the amount of energy Bitcoin uses.
You can power a little under 20% of Canada.
It's just insane amounts of electricity being used to power the Bitcoin network.
And if we compare this to Visa, like a normal Visa transaction, one Bitcoin transaction obviously uses, you know, five times more than And that makes sense, because Visa is not, you know, doing all of this proof of work on each transaction, whereas Bitcoin is.
But this is definitely one of the reasons why people are researching new blockchain technologies is because they want to make the power consumption much less, make it more greener.
It's kind of ridiculous.
So [INAUDIBLE] people [INAUDIBLE] global warming and [INAUDIBLE].
You don't hear about this.
No, you don't hear about this.
It's interesting, because it's just electricity.
And when you hear of stuff that runs on electricity, you usually don't think of CO2 emissions as much as like, oh, we've got all these cars, and planes, and ships that are literally burning fossil fuel.
And like, oh, if you're running an electric car, you know, obviously you're green.
You've got zero emissions or whatever.
But you're still using electricity.
And electricity still emits greenhouse gases, because a lot of our electrical power plants are running on fossil fuel.
And within the Bitcoin community, this is definitely like a big thing they talk about.
There's lots of projects that are trying to come up with solutions that don't use just pure electricity cycles to try and compute stuff for Bitcoin.
There's a few interesting players that are trying to do different algorithms for just proving that you've spent time on it or that you have certain amount of hard drive space or memory space, something that doesn't actually speed up your CPU and consume more power.
So, hopefully, in the future soon we'll see new use cases that don't use up as much electricity.
But right now, Bitcoin, it's powering Austria.
So to move on-- a brief history of ransomware.
Ransomware is not new by any means.
But with Bitcoin, it allowed attackers and the bad guys to ask for ransom in this new currency that can't as easily be traced.
So CryptoLocker came out in 2013, 2014 and spread by the Zeus botnet, which you might have heard of.
It's considered to be like one of those early ransomwares that actually use Bitcoin to try and get money from people.
Rather than asking someone to mail you a check, which used to be a form of ransomware, they'd literally lock up your system and give you an address to send a check to.
That doesn't always turn out great for the bad guy if, you know, the FBI tracks that address.
So people moved to cryptocurrency.
WannaCry in 2017 was super popular.
I'm sure most of you have heard about it.
The average ransom demand according to Symantec is $544 in one of their recent reports.
So for each ransomware infection, you're not really going to expect $544, but that's usually what's being asked.
And not everyone pays it, so of course the average is much lower than that per infection.
Also, a couple of important notes on ransomware is it's a one and done scheme.
If you infect someone, you ask them for their money.
They pay you.
You unlock it, hopefully.
And then you move on.
So you're expecting, you know, just a single payout from each infected person.
And then you probably don't hear from them ever again unless you happen to infect them again.
And then they're not so happy to pay you again.
Also, in lower income areas, ransomware is not as effective.
Because lower income areas, people aren't able to pay to get their files back or aren't willing to get a payday loan to just get their files back.
So ransomware is a very specific threat that definitely has its downfalls in terms of the bad guys think of them as downfalls.
But this is where cryptomining comes in.
So at the same time as WannaCry, you probably didn't hear about a similar attack that also used EternalBlue and DoublePulsar, the same way that WannaCry spread.
This was just a cryptomining campaign.
Instead of shutting down people's computers and locking them up, these guys just kind of stayed low, used the computers for mining and earned themselves about $3,000 to $9,000 per day over the course of a couple of weeks.
WannaCry was kind of infamously shut down early and didn't get much money from its campaign, whereas these guys, you know, much less heard of in the mainstream media, they were making bank.
And that's because they were using cryptomining instead of ransomware.
So, yeah, the shift has been very noticeable if you've been following malware threats.
Ransomware has declined a bit.
It's still very popular, but it's definitely declined, because it's less profitable.
It's one and done, you know?
And cryptominers are much stealthier.
If you're talking a huge corporation and you shut down a bunch of their computers, they're going to be angry.
They're going to lock their stuff down.
Hopefully, they're not going to pay you to get their stuff back.
And then they're going to set up avenues to protect themselves better in the future.
If you're using cryptominers, you can stay low, you know, make money continuously rather than just one and done.
And you can end up with much more money in the end than compared to just using ransomware.
There's also been a rise in cryptojacking.
And cryptojacking is cryptomining, but it's implied that you're going to a website.
And there's advertisements or libraries that have been affected.
There's been a huge rise in this.
There's been lots of websites, such as Tesla, and the NHS, and the UK, and lots of government websites including DOJ websites within the US, that have been affected by cryptojacking.
And a lot of what they do is they'll find libraries that websites use.
They'll get into that third party library, whether they exploit the hosting server or they just manage to get their source code merged in.
But they'll have cryptojacking software in it.
And if it ends up being used by these companies like Tesla or the advertisers or, you know, the NHS websites, your browser's going to start mining cryptocurrency for them.
So with that, we've gotten a huge rise in Monero, because Monero is different than Bitcoin in that it is easy to mine using a computer CPU rather than a GPU.
It's much easier to mind Bitcoin when you have a GPU or specially designed integrated circuits called ASICs, whereas Monero uses CPU.
And it can mine well on just about any device.
It's also difficult to track as we talked about earlier.
And so bad guys have been using Monero instead of Bitcoin for a lot of these nefarious activities, which is one thing you can alert on.
If you see a lot of Monero traffic, but you're expecting a lot of legitimate Bitcoin traffic, check out the Monero transactions that you're seeing on your network or, you know, end points towards Monero related services.
There's, of course, legitimate uses which I think is really interesting to talk about.
Salon.com has at one point this year tried to test using-- I'm not sure if it was CoinHive specifically.
But they were using cryptomining as a substitute to advertisements.
So if you opted in, you could basically turn off advertisements on their site.
And you can just let them mine cryptocurrency while you were viewing their site.
Many people might find this a good trade off.
You know, you don't have to look at a bunch of crazy pops-ups or ads for certain medications.
And instead you just mine cryptocurrency for them in the background, which doesn't cost you anything but a little bit extra electrical power.
You can use it as a substitute for subscriptions.
You don't have to pay The New York Times $10 every month if you let them mine cryptocurrency on your computer.
That's just an example.
The New York Times doesn't specifically do that.
But as an example, you know, this is a legitimate use.
CoinHive is a specific provider of this.
And they claim to be a legitimate provider.
But they're used by tons of bad guys, so they've gotten a bad rap.
Whether or not they deserve it is up to you guys.
They haven't necessarily behaved great themselves, but they can be used legitimately.
So to mitigate cryptojacking and cryptomining stuff, you know, there's lots of resources.
Anti-malware can notice a lot of cryptomining software if you've accidentally downloaded it onto your machine.
Threat intelligence feeds, of course-- we're Anomali.
I have to mention this.
It's actually a really good way to find endpoints for like CoinHive.
You know, if you're not expecting to see CoinHive or other cryptomining websites on your network and you see them, you can alert on that.
And you can be alerted that early on, rather than have someone tweet at you, hey, you're infected.
There's also defensive programming techniques you can use.
And you're worried that they're going to get infected in the future.
You can use a technique or an HTML resource tag that's called Subresource Integrity.
And basically, you put a hash of the file you're expecting into your HTML.
And then when it loads, it checks that file.
And so if it doesn't match, it doesn't load it.
So if you're not expecting your file to change, it won't load it if you're using Subresource Integrity.
And that's all I got for today.
So if you guys have any questions or thoughts or anything, I've got some time I believe to answer that.
I covered a lot of different stuff.
So if anything stands out, feel free to ask.