Crypto Alert of the Week: The Evolution of Crypto Ransom/Malware

Welcome to week 14 of the Crypto Alert of the Week series, dedicated to documenting interesting or high profile frauds/hacks etc that recently happened and have been reported into the AMLT Network and show how the AMLT Network can help track and prevent it in the future.
As the cryptocurrency space evolves, so do various attack angles that hackers use in order to get a hold of people’s coins. Today we take a look at some evolving cases.
Generally speaking, there are 3 popular attack angles. The first one being ransomware, a program that encrypts your files and demands a ransom to be paid (usually in Bitcoin) in order to decrypt and bring everything back. A popular example that comes to mind was the notorious WannaCry having its peak in 2017, still infecting many computers to this day.

AMLriskreportweek15hh.png

Second off, we have attacks at our files, scanning them and looking for any cryptocurrency keys that can be stolen. The Third one is malicious mining, done undercover, costing people a lot in electricity bills and lost PC performance. A famous example of that would be the Coinhive Monero mining botnet.

But what if a specific malicious program could do more than one of these actions depending on their profitability? Here’s where the infamous “Rakhni Trojan” comes in. First seen in 2013, this notorious and most likely of Russian origin virus has recently added a new weapon to its arsenal. What started as ransomware has now evolved and turned into a multi-purpose virus. Usually seen in spam campaigns, the virus infects PCs disguised as PDF reading software with forged digital certificates.

crypto2.png

Right after successfully gaining access, it begins a scan, looking for any cryptocurrency-related files and folders. If it finds what it’s looking for, it starts running the ransomware part, encrypting private files and demanding payment in bitcoin, of which details are to be sent via an email. In the case of not finding any cryptocurrency files, the virus instead checks the computer’s hardware and determines if it is capable of mining. If so, it downloads a mining software that mines either Monero, DASH or sometimes another Cryptocurrency in the background.

These kinds of attacks are incredibly hard to track, as the malware producers tend to prefer privacy-focused cryptocurrencies.
Another pretty notorious piece of malware would be the Bitclip virus. It’s yet another, well-known clipboard changer. It detects any cryptocurrency address stored in your computer clipboard and changes it to its own address. As simple as it may sound, it has actually stolen a whole lot of coins while remaining widely undetected due to people not really realizing that the addresses were being constantly replaced..
One of these malware addresses has been recently reported to the AMLT Network and marked as an address belonging to a hacker
See here how you can report and get rewarded for submitting data into the AMLTNetwork and help make the crypto economy a more transparent and safer one. Once reported into the Network and verified by our data team the risk reports for these addresses reflect the appropriate flag and elevated risk rating as well as behavioral profile.
Check out the AML Risk Report generated for the Bitclip malware below:

amlrisk14.png

If you’re interested in partnering with Coinfirm or becoming an AMLT Network Member then contact us!

Thank you for your continued support and make sure to follow all of our latest updates on Coinfirm’s Twitter, Facebook, LinkedIn and AMLT Telegram Community.

Sincerely,
The Coinfirm Team

subscribe to newsletter