WASHINGTON – When unauthorized software found its way onto the network of a small Tennessee hospital, the culprits didn’t ask for ransom. They didn’t steal records.
What they did was silently harness computing power for a moneymaking task.
The task was to “mine” digital currency, and the culprits did it by yoking together a quiet army of infected computers to generate a stream of money.
It is a trend that coincides with the dizzying trajectory of many digital currencies, which skyrocketed in 2017, dipped early this year and recovered in the past several days.
Cybersecurity experts call it “cryptojacking” — hijacking computers to produce digital currency, like Bitcoin, Litecoin and Monero that have been in the news.
Infected networks or computers perform double duty, conducting normal functions (perhaps a bit more slowly) while also obeying remote commands to do calculations that generate digital currency for the criminals, or wrongdoers, who may be company insiders. As many as 24,000 patients of the Decatur County General Hospital in Parsons, Tenn., were notified in a Jan. 24 letter from the hospital that a server had been compromised, the HIPAA Journal reported.
“The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency,’ ”the hospital told patients, adding that it had no indication that intruders sought patient data like Social Security numbers or clinical and insurance information.
An Israeli firm, Radiflow, reported last week that a large European wastewater site had five of its servers infected by “cryptojacking” malware.
Radiflow’s chief executive, Ilan Barda, said that regulators asked him not to identify the country where the infection occurred although he called it “quite a modern one.”
“Unfortunately, it’s spreading quite widely,” Barda said of the infection. “There are reports now of Android devices being infected and reports of home devices and enterprise devices [being infected].”
The attacks that spread around the world last year, in which malicious code would encrypt hard drives and flash a message on the screen demanding payment to decrypt files, have ebbed.
“We’ve seen a big drop-off in those attacks and the same mechanisms that were delivering those attacks in the past now install these crypto-miners instead,” said Ryan Olson, director of threat intelligence for Palo Alto Networks, a Reston, Va., cybersecurity firm
The earnings from an infected computer might seem marginal. Cisco Talos, a threat intelligence firm, calculated last week that an average computer might earn only the equivalent of 25 cents a day. But experts say it’s a volume business. If 2,000 computers are harnessed together in an unseen network, it “could generate $500 per day or $182,500 per year,” the company said in a posting.
“Talos has observed botnets consisting of millions of infected systems, which using our previous logic means that these systems could be leveraged to generate more than $100 million per year theoretically.”
Palo Alto Networks estimated in a posting Jan. 24 that at least 15 million computers had been conscripted into crypto-mining operations worldwide, most heavily in Asia.
Criminal enterprises are not the only culprits in using computers on the sly to generate digital currency, said Richard Ford, chief scientist at Forcepoint, a Reston, Va., cybersecurity firm.
“It’s entirely possible for an employee whose got a server sitting around to go, ‘Oh, I can make some money on the side, even if it’s only 100 bucks or a couple hundred bucks a week or a month by having this running in the background, and I’m not really hurting anyone.’ Of course, you are. You are taking resources from the company you work for,” Ford said.
The Tennessee hospital was careful not to blame an outside criminal group, saying only that unauthorized crypto-mining software had been introduced to its server.
In the networks used by cryptocurrencies, miners solve mathematical puzzles as a way to confirm transactions. They obtain new cryptocurrency as a reward. Specialized processor farms have been set up in some countries to mine Bitcoin, but other digital currencies can still be mined on small computers, or even handheld phones. Infected computers and networks can slow down as their processors are forced into great activity. Hackers are not necessarily looking for powerful computers, experts said.
“You make it up in numbers,” Ford said. “You don’t need the fastest computer.”
In the variant that Palo Alto Networks tracked, the malware was used to mine only a newer digital currency, Monero, which has won favor with criminal groups.