New forms of malicious software have mushroomed, appearing on hacked desktop computers, and hackers are sneaking code that generates digital currency on misconfigured cloud-computing servers and even on websites, which have been reprogrammed so visiting browsers become unsuspecting digital-currency generators.
Digital currencies such as bitcoin need a broad network of computers to process transactions. To lure participants, they pay off the computers that join the network with newly minted digital currency. These computers are called miners. A typical personal computer can crank out about one bitcoin every 4½ years, according to data provided by BitMiner, an online mining group.
In recent months, currency-mining software has been found on cloud-based internet servers operated by the British insurer Aviva PLC and Times Publishing Co., owner of the Tampa Bay Times, security companies say.
Unwanted mining software is also showing up more frequently on desktop computers, security companies say. Starting last May, researchers at the threat-intelligence firm Recorded Future Inc. saw offerings of such malware spike on dark web forums, where they typically sell for between $50 and $850. Recorded Future has found 62 different types of currency-mining malware for sale.
“Most of this software was offered for sale in the past year,” said Andrei Barysevich, a researcher at Recorded Future. “So criminals are definitely taking notice of a spike in cryptocurrency values.”
The value of bitcoin, the world’s most popular cryptocurrency, has jumped nearly 10-fold over the past year, from just over $600 in October 2016 to more than $6,000 earlier this month. That has made the mining software that performs the calculations required to process transactions on the bitcoin network much more valuable. On Thursday, the price of bitcoin was about $5,900.
Hackers have long sought new ways of converting the computers they hack into cash. They have stolen online banking credentials, rented out hacked machines to spammers or online attackers, and most recently have infected them with ransomware, malicious software that renders computers unusable until a ransom is paid.
While ransomware is still seen as the bigger threat, hackers are also looking for less-disruptive ways to earn money, computer-security companies say. In dark web discussion forums, hackers fret ransomware is so destructive it will prompt users to improve the security of their machines. Widely publicized outbreaks, such as this week’s Bad Rabbit ransomware, which shut down systems in countries such as Russia, Ukraine and the U.S., make more people aware of the phenomenon, security experts said.
Hackers also worry high-profile ransomware outbreaks such as WannaCry earlier this year may have ruined the “credibility” of the ransomware product, said John Fokker, digital-team coordinator with the Dutch National Police’s high-tech crime unit. WannaCry victims were typically unable to get their files back, even after they paid the ransom.
In an alert published Tuesday on the Bad Rabbit ransomware, the Department of Homeland Security’s Computer Emergency Readiness Team said it discouraged victims from paying ransomware because “this does not guarantee that access will be restored.”
A spokeswoman with the Federal Bureau of Investigation declined to comment for this article.
The spike in the value of digital currencies has given hackers a new avenue, said Mr. Fokker, whose unit was involved in the takedown of the AlphaBay dark web marketplace earlier this year.
“A lot of criminals are saying, ‘We’re OK with a lesser payout, so long as we stay safe and as long as the cash flow continues,’ ” Mr. Barysevich said.
Bitcoin isn’t the only digital currency driving hackers. In recent weeks, software that mines another digital currency, Monero, was spotted on websites belonging to the Tampa Bay Times’ PolitiFact fact-checking website and CBS Corp.’s Showtime Networks, according to Troy Mursch, a computer-security researcher.
In both cases, the websites apparently were altered to run a special script that offloaded the mining work to the computers of anyone visiting the website, Mr. Mursch said.
Hackers were able to install their script on the fact-checking website after discovering a misconfigured cloud-computing server, said PolitiFact Executive Director Aaron Sharockman.
The Monero mining scripts earned money for the hackers by running inside browsers while users were visiting these sites, Mr. Mursch said. That slowed down computers temporarily, but didn’t actually install anything malicious on the visitors’ computers, he said.
Last month [September], hackers discovered Aviva computer consoles that hadn’t been properly secured, according to RedLock Inc., a seller of cloud-security services. That allowed the hackers to run their own bitcoin-mining software on the company’s cloud-computing machines.
The Aviva team fixed the issue after being notified by RedLock and it “had no impact,” an Aviva spokesman said.
RedLock has uncovered close to 100 similar examples of unsecured cloud resources taken over to mine digital currencies, said Varun Badhwar, the company’s chief executive.