The rise of cryptocurrency miners

Cryptocurrency is one of the newest forms of currencies. Cryptocurrencies usually rely on P2P Networks (Peer-to-Peer) in order to manage transactions, funds and accounts across the globe. Most cryptocurrencies rely on blockchain technologies to do this.

Bitcoin is the most well-known and widely used cryptocurrency right now. Bitcoin was partially based on the gold mining industry. Whenever the amount of gold being found decreases, the price increases. Bitcoin operates in the same way.
The rate of inflation for Bitcoin drastically increased in 2017, going from around $880 USD in January to $14,758 USD in December. Because of this, cryptocurrency miners have been the weapon of choice in 2017 for financially motivated cyber-criminals (with ransomware also).

Cryptocurrency miners work by solving difficult maths problems on a user’s machine, while in return, they gain a certain amount of cryptocurrency (0.001 BTC for example). The more maths problems being solved, the harder they become for everyone to solve.

These miners take up a considerable amount of system resources, causing electricity usage to rise and device performance to fall. Many security companies will classify bitcoin miners as Potentially Unwanted software, since many users don’t actually know that they are installed on their computer.

In mid 2017, web browser based miners became popular, because they can easily be planted in the background of a webpage, without any user interaction. An example of this is Coinhive. Coinhive is a JavaScript library that performs Monero cryptocurrency mining using the resources of the user that visits the website.


Coinhive JavaScript

I predict that in 2018, JavaScript cryptocurrency miners will be used more often than traditional miners by criminals. In addition, I expect Adblocker Extensions in the future to block these malicious scripts as they take up considerable system resources.


Ransomware Fundamentals

The general concept of ransomware is that the victim is forced into paying a ransom in order to gain access to their computer or virtual property.

Crypto Ransomware

Crypto Ransomware (Short for Encryption Ransomware) encrypts or encodes the victims files on their computer or business network and then demands that the victim pay money in order to gain access to their files. This type of ransomware is the most popular among cyber-criminals and malware creators, due to the profits that they gain through this extortion method. An example of crypto ransomware is CryptoLocker.

Locker Ransomware

Locker Ransomware works by locking the victim out of their computer and then threatening them with the deletion of their files if they do not pay a certain amount of money. Locker Ransomware is usually easy to deal with, as they don’t encrypt any files or modify any of the user’s data. This means that the victim can use a rescue disk to remove the ransomware in order to gain access to their machine.

Crypto Ransomware (Technical Summary)

Creators of Crypto Ransomware usually use asymmetric encryption algorithms such as AES and RSA in order to make it extremely hard for security researchers to create a decryption tool for the ransomware. When they encrypt the files, they send the decryption key to their server in a heavily encrypted form, so that even if a law enforcement agency gains access to the criminal’s server, there is no guarantee that the law enforcement agency will be able to get the decryption keys. Sometimes, the ransomware can act as a Remote Access Trojan. This gives the cyber-criminals access to the victims computer, allowing them to steal sensitive information as well as install more malware on their computer. In some cases, the malware creators use these RAT capabilities in order to decrypt the files of their victims.

Locker Ransomware (Technical Summary)

Locker Ransomware usually works by modifying the computer start-up routine (Master Boot Record) in order to launch the ransomware when the computer first turns on. The ransomware then blocks the normal logon screen and displays the ransom message instead. Locker Ransomware is not very popular among ransomware creators, because locker ransomware can easily be removed from the computer by a rescue disk or by removing the ransomware from the MBR. Occasionally, the ransomware may modify certain registry keys in order to make sure that the ransomware will launch first at start-up.

Why does ransomware work?

Most ransomware variants use many tactics in order to trick the victim into paying the ransom. These are:

Authority – Some ransomware claim that the ‘FBI’ or law enforcement agencies have access to their machine.

Time – The ransomware tells the user that if they do not pay the ransom by a certain time, their files will be deleted.

Urgency – Ransomware creators know that precious files (such as pictures, videos and other documents) are very important to their victims, resulting in their victims being more likely to pay the ransom in order to get their files back.

What should I do if I am infected by ransomware?

DON’T PAY THE RANSOM – There is no guarantee that you will get your files back if you pay the ransom. Statistics show that 1/5 people who pay the ransom, don’t get their files back. Even if you do pay the ransom, not only are you giving your money to a cyber criminals, but you are also confirming to the cyber criminals that the ransomware works.

REMOVE THE MALWARE FROM YOUR COMPUTER – Use a malware scanner, such as Malwarebytes Anti-Malware in order to remove the malware from your system. If a certain malware scanner is not able to remove the malware, use another malware scanner with a good reputation.

USE A DECRYPTION TOOL – Not every piece of ransomware has a decryption tool available, but a lot of them do. You can use the NoMoreRansom Tool in order to find out what type of ransomware you have been infected by. Once the tool has identified the ransomware, you will be presented with the decryption tool that will decrypt your files for free. Alternatively, you can look for the decryption tools manually by visiting this page.

How can I protect myself from ransomware?

First of all, get a good anti-malware software installed on your device.

Next, add exploit protection mechanisms or software that can protect you from 0-day exploits that can affect even the most up to date system.

Optionally, use custom YARA rules that identify known ransomware families and also have a YARA rule for generic ransomware behaviour.

CREATE BACKUPS! If all of this fails, it’s good practise to have a up-to-date backup ready in case of a ransomware attack.

Extra Stuff

A Brief Explanation of Anti-Ransomware Applications

Over the past 2 years, various companies have developed Anti-Ransomware technologies, designed to stop the vast amount of ransomware variants doing harm on a user’s computer. These programs usually work by classifying applications based on behavioural analysis, system activity, disk activity as well as calling specific functions that encrypt data.

Most ransomware variants found today use asymmetric encryption. This is where the data is encrypted with a private key kept by the attackers, and can only be decrypted by using a public key. The public key is usually stored on the cyber-criminal’s server until the user pays the ransom.

The most basic of Anti-Ransomware solutions work by detecting calls / references to specific encryption schemes and calls to certain system libraries such as “system.cryptography”. The problem with this is that non-malicious applications often use these libraries and functions in order to interact with various other things such as the world wide web or VPN connections. Because of this, simply detecting references to these encryption libraries will create lots of false-positive detections.

To avoid this, we can take heuristic signatures from various ransomware families and integrate them within the anti-ransomware applications. However, the main problem with this is that it will not detect new ransomware families. Thus making the tool useless.

What we need is something that determines whether or not an application is malicious based on its behaviour, heuristic detections, generic encryption detections and other factors. The program should also be able to identify unknown and known ransomware variants that infect a computer. It should also be able to detect any signs of infection by looking at web traffic and determining if an application is sending encryption keys used by the ransomware to a C&C server.

But wait! That’s just the detection 😛 Anti-Ransomware products should also be able to isolate and prevent any applications detected as ransomware from mass encrypting the system or killing anti-malware products. The product should also be able to reverse the malicious actions executed by the ransomware. They can do this by using shadow copies of files, keeping an external backup of system settings or simply lowering the access rights of the application so that it cant access system settings.


There are many anti-ransomware solutions out there that you can download. A few examples are Malwarebytes Anti-Ransomware, Kaspersky Anti-Ransomware and Emsisoft’s Behaviour Blocker. Keep in mind, it is impossible to detect 100% of all ransomware variants, but you can protect yourself from the vast majority of ransomware by using a good security product.


BACKUP BACKUP BACKUP… It is important to always have backups ready and up to date in-case you ever do get affected by ransomware. Backups should never be kept in the same environment as your normal hardware systems, and they should be physically separated on either different drives or put on magnetic tapes.


My Summary of Cyber Security in 2016

In early 2016 security researchers across the world noticed an increase in ransomware. In fact, it was an estimated 200-400% rise in the number of ransomware infections. Such ransomware families included TeslaCrypt, Cerber, Jigsaw and many others that were propagated in many different forms – Malvertising, File-Sharing and compromised websites.

For a lot of 2016, the US presidential election was headlines in a lot of the world, with Trump being ridiculed due to his policies and beliefs. The Clinton email scandal also evoked an investigation by the FBI, which concluded that she was not guilty. However, this was denied by activists and people in the cyber-security industry with the release of the Clinton emails from the breach of her personal email server.

In August 2016, the British Parliament authorised a bill which would allow certain organisations and ISPs to spy and collect the data of British citizens and users of British internet connections. Soon after, the creator of the World Wide Web, Sir Tim Berners-Lee, tweeted “Dark, dark days”, as a reference to this bill. Some people took even more action by stating that they would be using the Tor Anonymity Network as well as VPNs in order to circumvent the collection of internet traffic.

WikiLeaks released emails from the Italian company HackingTeam, showing that they had targeted computer security companies, aiming to find vulnerabilities in their software, and then exploiting these to prevent their backdoor/spy programs from being detected. It was also revealed that they had worked with the British counterpart of the NSA – GCHQ – to gain a warrant in order to disassemble software belonging to the security companies. This warrant was supposedly issued by the foreign secretary of the United Kingdom sometime in early 2016. In the HackingTeam emails, it was discovered that they used ‘demo’ targets in order to provide a simulation of what their malware would do once the victims infrastructure had been infected. Their malware included Remote Access Trojans and backdoor programs running on various operating systems and infrastructures.

In late 2016, internet users across the world experienced the effects of the DDoS attack on Dyn’s services, caused by the Mirai botnet. This DDoS attack interrupted many services including Twitter, Soundcloud, Spotify and more. Security researchers found that the malware used by the botnet specifically targeted IoT devices, as well as home routers. Some hysteria found its way to Twitter, with some users claiming that Russia was behind the attack, however, security experts quickly concluded that the Mirai botnet was mainly based in the United States of America.

With ransomware on the rise, security vendors have been forced to take the necessary steps in order to protect their customers from ransomware. One such attempt was in the creation of ‘No More Ransom’ ( by Intel Security, Kaspersky Lab and various law enforcement agencies in many countries, aiming not only to help people who had been infected by ransomware, but also educate them about the growing threat currently facing today’s computer users. Some ransomware variants even allow victims to decrypt their files by infecting other people with the ransomware.

Yahoo was hit by two massive security breaches. The first one, released the information and personal data of around 500,000,000 people worldwide. The second, released the personal information of 1,000,000,000 users worldwide. In both instances, Yahoo claimed that it was a state-sponsored attack, which explains why the breached data has not been released to the public yet. However, some security researchers, such as Troy Hunt, suggested that the phrase ‘state-sponsored’ was simply used to make the breach seem less important to victims, resulting in the victims dismissing the breach as a minor incident.

2016 also saw a large number of phishing attacks utilising services such as Gmail and Hotmail, in order to trick users into clicking on fake attachments. These fake attachments would then open a raw html page in the browser, which was disguised in order to look like the Google login page. These fake login pages contained keylogger scripts (usually in JavaScript) that would send the keystrokes of the victim to the threat actor behind the phishing attack. If the keylogger failed, the username and password would be sent to the attacker when the user clicked the submit / login button. The user wouldn’t notice anything, as once the user “logged in”, they would be redirected to the real email website.

With 2016 coming to an end, I want to wish everyone a happy holiday! In terms of Information Security, 2016 has been a crazy year. I used various services / information sources to research this year’s events before writing this blog post. They can be found below:

How I dealt with the Ztorg Android Malware

On Sunday 10th July 2016 at 03:00 GMT, Kaspersky Internet Security for Android detected 2 pieces of malware on my device within a pirated version of Minecraft Pocket Edition. (Yes I pirate games if I have to)

10 minutes later, the scan finished and KIS stated that it had found one malicious app running in memory and 1 malicious apk file in the downloads directory. KIS then identified the 2 threats as Trojan.AndroidOS.Ztorg, which I googled and later discovered that it was a Remote Access Trojan connected to the Triada Malware Family. The online article written by Kaspersky Lab said that the only way to remove the Trojan was to either “root” the device or jailbreak the device and remove it manually. I wasn’t willing to jailbreak my device, so I decided to wipe all data off the device and wipe everything in memory.

Later that day, I connected my Android device to my computer (Making sure the malware wouldn’t spread of course) and started transferring important files over to my PC before I wiped everything from the device. At the time, I was also watching a livestream at

After I had transferred all important files, I held the power button and the volume up button for about 30 seconds. This rebooted the device into the Android boot menu, similar to the F8 screen on Windows PCs. I then selected Factory Reset, which only took about 10 seconds, so I did it again to make sure everything had been deleted. I also cleared everything from the system cache and memory so that the Trojan did not re-infect the device, once I restarted it.

How did I actually get infected with the Ztorg Malware?

I had downloaded a pirated copy of Minecraft Pocket Edition a few months earlier, I never knew that it was infected and KIS didn’t find any threat when I installed it, so I assumed that it was safe. Never download any pirated / cracked / modified version of a game, because you risk being infected.

Also, there’s no point reporting this to Mojang, because Mojang have stated that as long as you don’t distribute / share pirated copies of their games, they don’t care if you use a pirated copy or not.


Triada Malware Article by Kaspersky

Triada Man-In-The-Middle Attacks

Adblock can be good for you

Many people use adblock (Including me) and I noticed that a lot of businesses are stating that adblockers are bad and people should not use them.

Don’t listen to it. Adblockers provide an important role in security for blocking compromised adverts, malvertising, clickjacking and malicious web resources, which will infect users with all sorts of malware. Anything from Ransomware to spyware can infect the user.

What is malvertising?

Malvertising is the use of 3rd party advertisements to infect users with malware. Often these malicious adverts contain scripts that redirect the user through a series of exploits that infect the user with malware. The most common type of malware used as a payload of exploits is ransomware.

What is clickjacking?

Clickjacking is the use of adverts to hide a malicious webpage on top of something that the user can interact with on the parent page. For example, websites offering downloads sometimes have ads which cover the download button, so the user clicks on the malicious webpage, however they actually meant to click on the real download button. As a result of the clickjacking attack, the user is now infected with malware.

I understand that you need income

Of course, everyone needs some sort of income to stay alive and keep doing what they do, but companies and businesses should not blame people that use adblock for their loss of income. Instead, they should blame the people that host malicious advertisements, as research has shown that malicious adverts are on the rise, meaning that the rise in adblock could actually be caused by the rise in malvertising.

What kind of exploits are being used?

Malwarebytes has discovered the use of both the Neutrino exploit kit and the RIG exploit kit in malicious adverts. These exploits were infecting the user with CryptoWall ransomware. You can learn about a recent example of malvertising and the exploit kits named above here.


Just to be clear. I am not against the use of adverts to gain income. I am against the use of malicious advertisements. (In other words I just don’t want to be infected with malware)

I would recommend Malwarebytes Anti-Exploit to protect against exploits in vulnerable applications!

The Methods of Spreading Malware

Malware can spread in many different ways. This blog will explain most of the different methods and how they are used.

The World Wide Web

The World Wide Web is used in a number of ways to spread malware and infect vulnerable people. One of the most common techniques is to trick the user into downloading and running a piece of software that appears to be from a legitimate source/company, but is actually rigged with malware. This type of malware is known as a trojan horse, but the techniques used to encourage the user to actually download and run the malware is called phishing. Websites that offer pirated software/files such as The Pirate Bay often host these trojan horses, because criminals will upload their malware onto the site, bundled with other pirated content, making it easy for criminals to infect those who download illegal / pirated content.
Another method of spreading malware via the World Wide Web is through comprising websites. This is where hackers modify a webpage to contain malicious resources by exploiting vulnerabilities in the website. Usually the malicious resources / content is hosted on an external site owned and controlled by the hackers. They comprimise iFrames to display their malicious resources onto the webpage, resulting in the victim being infected by the malware.

USB / Removable Devices

Some devices require your computer to boot off them in order to function properly and unfortunately malware authors use this to their advantage. Malware uses your USB as a way to transfer itself onto other computers. Weirdly enough, if you have the correct knowledge on how to find hidden / protected files, then it should be pretty easy to find USB infections. Files like ‘autorun.inf’ or ‘konboot.gz’ are often used by malware to spread themselves onto other machines. Such methods of spreading are only really utilised by viruses or worms, but occasionally you may see a piece of ransomware use this aswell.

Network / Internet Connections

Network worms, rootkits and even sometimes ransomware will arrive and infect your computer via internet connections. The malware is sent to you through packets that evade Firewalls and network protection. They can also spread via local connections and wireless connections making them sneaky and hidden to the user. Malware can also be spread to systems via shared / public folders on the network.
I don’t really know a lot about how network traffic works, so this section is not explained very well.

Compromised Windows Updates / Windows Activation

If you own a pirated / cracked copy of Windows, you may be infected with malware, as the people who host the servers to “activate” your cracked copy of Windows may install malware into your system through a trojan backdoor. Moreover, they might even inject malware right into your Windows Update, allowing them to gather your documents and personal information. Many services /companies that host Windows Activation servers have been notorious for doing this.


Malware authors send unwanted emails (spam) to try to trick users into running malware. This malware can even be hidden in the email itself, so viewing previewing or even just loading the subject of the email may infect the user. Fortunately, many email providers have filters and protection against this, but you cannot guarantee that every threat will be blocked. Never open unexpected emails or emails from someone you don’t trust.
Malware authors can also send emails using someone elses email address via Outlook Express on Windows PCs. Outlook Express has had countless vulnerabilities in it’s history and I do not recommend using it. Nor do I recommend using any operating system older than Windows 7.


If I missed out any other methods, please tell me here.
I did a bit of research on malware before I wrote this blog post. If you are wondering, I watched a Pluralsight course called “Ethical Hacking: Malware Threats” by Dale Meredith.
I highly recommend starting that course 🙂