Security researchers uncovered that a version of Jigsaw, an old ransomware, has resurfaced as a bitcoin stealer. This iteration of Jigsaw (detected by Trend Micro as RANSOM_JIGSAW.THGBDAH) is also known as BitcoinStealer through strings embedded in the malware’s code. The malware steals the contents of the victim’s bitcoin wallet by using an open-source command-line tool (VanityGen) to modify the victim’s bitcoin address to divert its contents to the cybercriminal’s account.
The subtle modification can mislead victims into thinking that the cybercriminal and victim’s bitcoin addresses are similar. It does this by using VanityGen to alter the bitcoin address in clipboards.
According to the researchers, the cybercriminals have already netted 8.4 bitcoins (US$66,807 as of July 24, 2018) using the repurposed malware. They also saw similar cryptocurrency address-modifying services peddled in dark web forums and websites.
Emerging as a file-encrypting malware in April 2016, Jigsaw pressured victims into paying the ransom by setting a time limit and incrementally deleting files. It has since evolved and matured, using tactics and business models that included incorporating live chat support and revamping its ransom notes (e.g., using images from the Saw films and Anonymous) and demands.
Given that Jigsaw’s source code has long been available online, it’s unsurprising that cybercriminals rehashed it into a malware that cashes in on cryptocurrency’s popularity. And Jigsaw isn't the only one to adapt to the times.
A recent example is the Rakhni trojan, which can deliver either a ransomware or cryptocurrency-mining malware depending on the affected system’s configurations. Trickbot, initially known as an information stealer, incorporated screen-locking capabilities typically associated with ransomware. Cerber ransomware also added cryptocurrency theft to its routines. Cybercriminals also used notorious exploits like EternalBlue to mine cryptocurrency. In 2017, cryptocurrency mining was the most detected network event in devices connected to home routers.
Jigsaw is just one example of how threats continue to adapt, evolve, and ride on popular trends — such as cryptocurrency mining. Here are some best practices:
Practice security hygiene: Think before clicking, and carefully scrutinize unsolicited or suspicious emails and messages requesting for personally identifiable information.
Tighten privacy and security settings: Protect cryptocurrency wallets and its contents from malware and unauthorized modification, such as multifactor authentication, split wallets and cold storage (keeping the funds offline).
Enforce defense in depth: For enterprises, actively monitor systems for anomalous activities and array security mechanisms at each layer of the organization’s network, servers, gateways, and endpoints.
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques to protect systems from all types of threats, including ransomware and cryptocurrency-mining malware. It features high-fidelity machine learning on gateways and endpoints, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ security protects against today’s threats that bypass traditional controls; exploit known, unknown, or undisclosed vulnerabilities; either steal or encrypt personally identifiable data; or conduct malicious cryptocurrency mining. Smart, optimized, and connected, XGen™ security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).