The encryption technology used by malicious people has become one of the worst attack software in 2019?

Source: Bitcoinmagazine Compilation: Fire sauce production: blockchain base camp (blockchain_camp)

Original title: "Cheng Yi Xiao He, defeat also Xiao He?" Encryption technology was maliciously exploited as one of the worst attack software in 2019!

The ancestors have left us with a lot of wisdom, such as some widely circulated sentences: "Chengdu Xiaohe, defeat also Xiaohe", "water can carry a boat, can also overturn the boat", "failed by the blessings, welfare Misfortunes, etc.

These words are still applicable now. Using the technique of "encryption", for example, whether it is cryptocurrency or encrypted information, "encryption" is to "protect" something. Although there is a saying that "technical is not guilty", it is especially important to use and where technology is used.

Next, let's talk about what kind of situation will the encryption technology cause if it is used as a means of malicious attack?

Application of encryption technology

Encryption of this tool works in two different ways.

1. It can hide information by means of encryption;

2. It can also track data with the right information. When people use transparency as the main value of cryptocurrency or bitcoin, they are talking about this second way of working.

In most cases, the use of more transparent encryption technology (cryptocurrency) as a substitute for fiat money in financial transactions will ultimately lead to the integration of significant rights between business entities and government agencies. However, there are not many discussions about anonymous hackers for many people who take the encrypted future seriously. Last year, these anonymous hackers proved every day that as long as ordinary users continue to make the same operational mistakes, the Internet will provide new profit opportunities for people with bad behavior.

Webroot Threat Analysis Inc. Webroot has just released a list of the most annoying malware they had in 2019. From "as-a-service" ransomware to sophisticated phishing scams, encrypted mining and encryption hijackings , this list of cues indicates a ransomware attack that is recovering. Despite the reduction in encryption attacks, as long as the cryptocurrencies are still valuable, they will not completely disappear.

2019 malware list:


The research data in the Webroot report comes from the billions of networks and devices they protect every day. Through machine learning algorithms, Webroot scores more than 750 billion URLs and more than 450 million domains per day.

In order to better understand the level of malware threats Webroot is currently experiencing (especially how many encrypted mining and encryption hijackings occurred in 2019), the media interviewed Webroot security analyst Tyler Moffitt.

Ransomware is the biggest threat

In addition to his work at Webroot, Moffitt is a cryptocurrency advocate. He has been mining cryptocurrencies in his basement since Bitcoin hit a record high of $20,000 in December 2017. Moffitt used solar panels when mining. "Fortunately, the electricity bill is not too high," he said with a smile.


Tyler Moffitt

Comparing the Webroot 2019 report with the previous year's report, the overall threat level does not seem to change much. As the overall price of Bitcoin fell from an all-time high at the end of 2017, the threat of encrypted mining and encryption hijacking also declined.

This led to the recovery of the Remote Desktop Protocol (RDP) ransomware attack promoted by the Iranian hacker organization SamSam. At the end of last year, SamSam tried to convert the bitcoin ransom into an Iranian riyal on a cryptocurrency exchange, and was subsequently tracked and prosecuted. RDP vulnerabilities are now the biggest attack vector for SMBs.


Emotet is one of the largest and most infectious malware on the Internet today. Emotet is an initial first-stage payload that is essentially the best way to analyze the use of a computer environment. In terms of economic loss, it may be the most annoying and most successful ransomware attack software in 2019, followed by the deployment of Ryuk's secondary payload TrickBot (which will lead to large-scale network encryption after infection) .


After SamSam was arrested, GandCrab became the most widely used and economically successful ransomware-as-a-service (RaaS) example with its affiliate program, which has recently been discontinued. The plan is said to have received more than $2 billion in extortion from its victims. Like most ransomware-based attacks, GandCrab first infects a computer and then encrypts its files as hostages until the victim agrees to pay the ransom.

The concept of RAAS is mainly derived from the Russian cybercrime gang, the Business Club. Technically, this model does not infect anyone. Instead, it provides services for the payload (in this case GandCrab, not TOR), and customers can set their own standards and generate their own variant ransomware to deploy according to their specifications.

Unlike the actual business, the RaaS model relies on scripts with built-in specifications that automatically return 30% of the victim's ransom to the service provider. If a user can infect a certain number of computers every month, then GandCrabde will cut its ransom ratio, and GandCrabde's success depends on it. Sodinokibi/REvil is another ransomware variant that appeared in 2019 since the retirement of GandCrab.

Encrypted mining and encryption hijacking threats are currently regressing

Although the threat from encrypted mining and encryption hijacking is likely to never disappear, it has shown a retreat in 2019. This is mainly due to the continuous decline in the price of Bitcoin since the end of 2017 and the beginning of 2018. According to reports, since the price of bitcoin has fallen from the peak of 2018, this threat has begun to recede, down about 5% from the previous month.

Moffitt said: "This is true. When Bitcoin prices soared to $20,000, we saw encryption hijacking and encrypted mining payloads soaring to the top. Their prices plummeted in January, but then quickly picked up in June. ""

The difference between these two cryptocurrency mining attacks is that when a user visits a website using a script that deploys cryptocurrency mining cookies, encryption hijacking occurs on the browser tab. An encryption attack is an executable payload that is not intended to be downloaded or enabled by a user on a computer.

Both cryptographic mining-based hacking attacks are popular in computer environments with high-quality hardware, and hacked victims are less likely to pay ransoms than ransomware attacks. As such, these attacks are more likely to result in immediate (though smaller) economic returns. They are very subtle and can be launched without the permission and knowledge of the victim. As Moffitt points out, “It is well known that no one complains or complains when paying with cryptocurrency.”

Some people may not notice that their computer is being hijacked by hackers to mine cryptocurrency, thinking that hackers will not exist in real life. Once a computer is infected, it slows down and its CPU usage increases dramatically. But hackers have found a way to solve this problem by expanding the cryptocurrency mining based on whether the victim is using an infected computer. If the computer is receiving mouse or keyboard input, then this means that someone is using it, then the mining program will be reduced to reduce the proportion of the overall CPU of the computer. Then, when the user stops working on the computer, it will revert to 100% capacity.


To date, monero (XMR) is the most popular cryptocurrency in mining and encryption hijacking attacks. According to Moffitt, this is not primarily because monero is a private currency that only the sender and receiver can view the transaction ledger (of course, this is still an advantage), but because Monero's mining algorithm has anti-ASIC characteristics.

Monero's development team used it as a way to weaken large mining companies such as Bitmain and Dragonmint. These companies typically use specialized high-performance mining hardware to dominate or monopolize the market share of other coins' hash rates. Monero's regular soft forks can change its algorithms, making specialized microchips faster or ineffective than consumer hardware, including notebooks, desktops, and graphics cards.

“The Monero development team hates the fact that some manufacturers or suppliers monopolize the type of hardware in the mining pool (basically everyone who mines bitcoin uses the specific hardware produced by one of the companies). So every few Monero In a month, the algorithm is changed by a soft fork, so that no one can develop a specific chip for effective monero mining."

While creating a lot of opportunities for miners using consumer hardware, it also brought an unexpected result – Monero also created a hacker dream. This means that hackers can profit from mining without having to bear the cost of deploying payloads, and they are already fully equipped anyway.

The Coinhive Debacle

One of the most famous examples of hackers discovering opportunities in Monero's mining algorithms comes from Coinhive's encryption hijacking script. There is currently no evidence that Coinhive has designed an encrypted mining script for hackers to use as malware. Assuming this is true, Coinhive designed an encrypted hijacking script for the website that legally generates revenue by cryptographically digging the online ads on the open browser tab instead of online advertising.

Coinhive designed the encryption hijacking script for the website:


Moffitt said: "It exploded in September 2017. I dare say that 95% to 98% of all accounts or activities running Coinhive scripts are criminals, they are hacked and broke into their own. The page and hosted the script, then Coinhive gets 30% profit from it."

When Coinhive was told that his script was being used illegally, they immediately blocked a hacker's account. However, they stop running their scripts until they receive an administrator notification from the infected site. This may be because Coinhive cannot distinguish between websites that infect their scripts and websites that use their services voluntarily. But the media public opinion was too bad at the time, and their explanation did not work, so they closed in March 2019. The entire cryptocurrency market, especially monero, is at an annual low.

Since the closure of Coinhive, there have been many imitators, such as Cryptoloot and Coinlmp, and most of them have deployed scripts to mine monero.

Coinhive is closed:


Although the encryption mining attack may be decreasing, Moffitt insists that it is still a big threat. "We have blocked more than 1 million attempts, and there are still 80,000 URLs running encryption hijacking attacks."

Now, these attacks are more focused on free online streaming service platforms and porn sites, where visitors spend more time on a single page than those on average.

In addition, any access to the vast resources of cloud computing provides a rare opportunity for hackers who want to mine cryptocurrencies. The most recent attempt at media recording took place earlier this month when hackers pretended to be game developers and built a vast network of AWS accounts to mine cryptocurrencies. The following are two other encryption mining attacks that were popular in 2019:

  • Hidden Bee: Hidden Bee is a vulnerability that provides encrypted mining payloads. It started with last year's IE vulnerability and has evolved into payloads in JPEG and PNG images through stenography shorthand and WAV media format flash vulnerabilities.
  • Retadup: Retadup is an encrypted mining worm with more than 850,000 infections. It was removed by the French National Gendarmerie Cyber ​​Crime Center (C3N) in August after it controlled the command and control server for malware.

The most recent attack on media records:


Future crisis

While encryption hijacking seems to be no longer in its heyday and has become relatively easy to stop, encrypting mining payloads is still a great opportunity for hackers who don't want to deal with ransomware.

Moffitt said: "These attacks are untrackable and can't stop payments. When you get the cryptocurrency from the mining pool, it's basically washed."

In addition, he believes that encrypted mining as a payload can be applied to any smart device with Wi-Fi, which has attracted worldwide attention.

Large-scale IOT infections (such as those caused by infected MikroTick routers in 2018) are an attack vector, and he believes that such infections will increase and will show a snowball-like growth trend as prices rise.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more


The $47 Million KyberSwap Hacker Plots Surprising Proposal in Upcoming Announcement

KyberSwap hacker announces potential deal following $47 million heist last week.


Fade out and rise of an old Defi project

Editor's Note: Original title was "Kyber's Fade Out and Rise" In the DeFi project, the previous a...


KyberSwap Hack: Funds Stolen in Million-Dollar Exchange Adventure!

Major security breach at KyberSwap - $48 million stolen, investors urged to withdraw funds immediately. Hackers hint ...


Does the DeFi market have no ceiling? How to introduce quality assets is the key

On July 25th, the "DeFi Feature Series" initiated by a chain community, DeFi Lab, DOS Network, and Hydro st...


KyberSwap Breached in $46 Million Hack Thanks to 'Infinite Money Glitch' A Heist for the Modern Age!

Fashionista, take note Doug Colkitt has revealed that the recent KyberSwap hack saw an intricate and well-planned app...


Kyberswap was hacked for $48 million, but the drama-loving hackers took the initiative to negotiate.

Hacker left a message on the chain I'll take a break and we'll chat later. Original author Loopy Lu. On November 23rd...