SPONSORED

CONTENT

Confronting the threats

of cryptojacking and
ransomware
Contents
2 Cybercriminals leverage software and cloud
5 From IDC: Debunking the myth of the “recent” ransomware problem
7 Software alone can’t solve the problem
8 Software security solutions strengthened with Intel hardware features
10 Summary: More agile and data-driven cyberdefenses
 SPONSORED
CONTENT

Cybercriminals leverage software and cloud

Malware is a technology scourge of the modern era, Ransomware is on track to cause $1 trillion in financial Value of Ransomware
infecting computer assets for nefarious purposes, often damage in the U.S. in 2021. According to a recent Acitivity 2020 vs. 2021
without the knowledge of enterprises. Defenders are U.S. Treasury Department analysis, the total value Source: U.S. Treasury Department
often left plugging security gaps after the fact, while of ransomware-related suspicious activity reported
the attackers are changing tactics and looking for new during the first six months of 2021 was $590 million,
opportunities to wreak havoc. exceeding the value reported for the entirety of 2020 $1.18B
($416 million). (Remember: The impact of ransomware Projected
Ransomware and cryptojacking—the hijacking of
goes far beyond the ransom as the business disruption
computer resources to mine cryptocurrencies—
can be the costliest component of the attack.)
represent critical economic threats. Awareness of
More than one-third of ransomware victims report a
the ransomware threat has steadily increased due to
business disruption of at least one week, according to
the impact of successful attacks, while cryptojacking
IDC. (See Figure 1.)
represents a more insidious assault.

Figure 1: Business Disruption Due to Ransomware

Source: Future Enterprise Resiliency & Spending Survey, IDC, July, 2021 (N = 199) $590M
Actual
34% First
6 months
$416M
24%
18%
12% 11%

2% 1%
More than A few weeks 1 week A few days 1 day Less than Don’t know 2020 2021
a few weeks 1 day

Confronting the threats of cryptojacking and ransomware 2

 SPONSORED
CONTENT

“Ransomware and cyberattacks are victimizing businesses Figure 2: Ransomware Bounties

large and small across America and are a direct threat to Source: Future Enterprise Resiliency & Spending Survey, IDC, July, 2021

our economy,” Treasury Secretary Janet Yellen has warned.

If your organization paid a ransom in the past 12 months to regain access to systems or data, how much was paid?
Cryptojacking is a less-publicized but equally Include the total amount if multiple ransoms were paid.
concerning threat. “Because the cryptomining activity
occurs in the background, there’s generally no indication Mean (USD) $240,631
that it’s happening other than a slight performance
degradation,” explains managed security services Median (USD) $75,001
provider SageNet. “However, cryptojacking drains
systems resources, increases energy consumption, and
can shorten the life of IT equipment. It also consumes Cryptojacking can seem abstract, as victims may not
precious network bandwidth.” even realize they’ve been attacked. But that cost adds
up for organizations that are running hundreds or
thousands of devices, which may also negatively impact
Easy to ignore execution on key enterprise processes.

Unless you or your organization is a victim, it’s easy More worrisome is that cryptominers are creating
to view malware attacks as somebody else’s problem. backdoors that they or others can use to steal IP or
But the escalation of ransomware payment demands inject ransomware code. One version of CPU mining
demonstrates that criminals become more emboldened software, XMRig, was the second most prevalent form
whenever an attack succeeds. of malware detected in June, according to Checkpoint
Software’s Global Threat Index.
The Unit 42 security consulting group of Palo Alto
Networks found that the average ransomware payment Cryptojacking code “could be installed directly on a
increased 82% to $570,000 in the first half of 2021 host computer to always run in the background and
compared to 2020. In one widely publicized case, an potentially even to propagate across a local network or
energy company CEO paid ransomware attackers through phishing attacks,” write legal experts specializing
$4.4 million to reopen a critical fuel pipeline. According in privacy and security. Such code, they warn, could
to IDC the median ransomware payment in 2021 was contain ransomware, “or could even be a false flag
just over $75 million, while the average payment was intended to disguise delivery of a malicious payload.” It’s
over $240 million (See Figure 2.) likely such infected computers could then become part
of a botnet, exposing them to further attacks.

Confronting the threats of cryptojacking and ransomware 3

 SPONSORED
CONTENT

A costly arms race of SolarWinds and Kaseya, where initial attacks can Spending spree
Source: Gartner Inc. 2021 CIO Agenda survey
compromise customers downstream from the initial
Technological advances increase productivity, they also
attack. A single managed services provider (MSP)
serve to escalate the continuing arms race between Firms that planned to increase
can serve many customers, providing cybercriminals
attackers and defenders. spending on cyber/information
opportunities to attack multiple companies, at scale. security in 2021:
Gartner Inc.’s 2021 CIO Agenda survey revealed that
One weakness among enterprise security solutions is
61% of respondents planned to increase spending
the constant stream of alerts and false positives that
on cyber/information security in 2021, while
can create fatigue among IT teams and reduce their
Cybersecurity Ventures projected that global spending
effectiveness. But while they’re trying to sort through
on cybersecurity products and services would exceed
$1.75 trillion cumulatively between 2021 and 2025.
the noise to find the dangers, real ones may be slipping
in undetected. According to FireEye’s Mandiant Security 61%
Despite the immense wealth expended on cyber Validation team, attack simulations determined that
defenses, attackers continue to find success. According only 9% of cyber-attacks generated security alerts, and
to the Identity Theft Resource Center, by October 53% of successful intrusions went undetected.
2021 the number of data breaches in the U.S. from
Clearly there is a need for a more unified effort aimed at
cyberattacks exceeded the entirety of those reported
detecting and preventing real cyber dangers. In today’s
the previous year.
fast-evolving threat environment, security systems
Increasingly, attackers are targeting weak links in the must do more than log events; they must deliver timely
software supply chain, targeting software vendors alerts, autonomously and efficiently, while also reducing
and service providers, as was the case in the breaches false-positive alerts.

Cybersecurity Ventures projected that global spending on

cybersecurity products and services would exceed $1.75 trillion
cumulatively between 2021 and 2025

Confronting the threats of cryptojacking and ransomware 4

 SPONSORED
CONTENT

Debunking the myth of the “recent” ransomware problem

December 16, 2021 - By Frank Dickson, Program Vice President within IDC’s Cybersecurity Products research practice

Ransomware conversations have become increasingly in 2006 with some success, but the approach is self-
common, moving from Pennsylvania Avenue and Wall limiting. The distribution methodology has the natural
Street to Main Street. In fact, the conversation has physical inhibitor of requiring a user to obtain the disk
reached all way to the boards of directors. In IDC’s and insert it in a drive, slowing distribution.
recent Future Enterprise Resiliency & Spending Survey
in July 2021, almost half of US respondents reported In 2013, CryptoLocker found email exponentially
that their “board of directors requested a presentation increasing distribution velocity by removing
by our CIO/CISO” on ransomware. Globally, the figure is the physical distribution constraints. Thus, the
30%. The elevation of the topic to boards of directors application of a digital transformation principle to
is a relatively recent phenomenon, but it’s more a
ransomware was born.
reflection of a continually evolving cat-and-mouse
struggle that’s been happening for decades. In 2013, CryptoLocker found email exponentially
increasing distribution velocity by removing the physical
Ransomware had its beginnings in 1989 with the AIDS
distribution constraints. Thus, the application of a digital
trojan. Created by Joseph Popp, the malware was
transformation principle to ransomware was born.
distributed by floppy disk at an AIDS conference. Post
encryption, the malware asked users to mail $189 The distribution and targeting innovations were far from
to “PC Cyborg Corporation” to obtain a repair tool. over. The leveraging of botnets soon followed. In 2015
Popp claimed benevolence as he promised to donate and 2016, names like Chimera, SamSam, BitPaymer,
the profits from the malware to fund AIDS research. Wannacry, and NotPetya furthered the digital transfor-
Although there were several design flaws to the mation principle application, leading to targeting known
malware, the concept of encrypting files and extorting and unknown vulnerabilities in our IT infrastructure.
users was born. The evolution of ransomware from
As our defenses got better, so did the attackers, as
Popp’s nuisance to a debilitant of organizations has
spear phishing became the approach of Ryuk, FIN6, and
been the result of continuing improvements on two
Trickbot. In 2021, the state of the art is the supply chain
primary vectors: targeting and technical innovations.
attack, as malicious groups such as REvil leverage the
The distribution of malware via floppy disk was trusted software of others in supply chain attacks to
effective. Gpcode leveraged this distribution method surreptitiously distribute ransomware on a large scale.

Confronting the threats of cryptojacking and ransomware 5

 SPONSORED
CONTENT

The pace of innovation for the targeting and the core value proposition continues to evolve. Clearly,
distribution of ransomware has been equaled by organizations are willing to pay so they can regain access
the technical innovation of the malware itself. Early to their data. What if a cyberattacker first exfiltrates the
improvements of stronger encryption were key to data, then encrypts? The threat of publicly exposing the
ransomware effectiveness. Then cryptocurrency data through double extortion not only increases the
enabled anonymous monetization. Effective encryption likelihood of ransomware payment but enables attackers
and anonymous monetization became the foundation to realize higher ransoms. If customer data happens
of the ransomware value proposition. to be exfiltrated, attackers have extorted the victim
organization’s customer as well with the threat of data
In 2015, the innovation moved from the ransomware
being exposed, giving birth to multi-faceted extortion.
to the ransomware target. Some ransomware
The resulting ransom size continues to grow from
victims unfortunately discovered that if the end-user
hundreds of thousands of dollars to millions.
devices connected to network stores at the point of
ransomware encryption, those network stores would As IDC describes the evolution of ransomware, it’s
also accidentally be encrypted. Cybermiscreants important to note that our use of terms “innovation,”
consequently discovered that the willingness of the “improvement,” and “value proposition,” which are
victim to pay the ransom, and the amount that the normally reserved to celebrate achievement, is clearly not
victim was willing to pay, were correlated to what was complimentary. Nothing can be further from the truth. The
encrypted. Thus, ransomware attackers increasingly impact of ransomware has been devastating, resulting in
leveraged lateral movement, credential harvesting, and the closure of businesses. Even the loss of human life can
privilege escalation to find high-value targets. be attributed to it. The purpose here is to illuminate and
By 2018, the focus turned to the active role of the attacker. create a healthy respect for ransomware and ransomware
Tools to enable attackers became the point of emphasis. attackers, a sophisticated cadre of individuals who are
Ransomware as a service, evasion, backdoors, and highly motivated and armed with destructive tools.
identity theft enabled attackers to better traverse networks
Defending against this scourge requires equally
and find organizations’ most valued systems and IP.
sophisticated security professionals with an even
Consequently, ransom amounts moved from the tens of
more sophisticated set of tools. Organizations must
thousands of dollars to hundreds of thousands of dollars.
successfully defend against ransomware attacks 100%
Today, the vilest attribute of ransomware may have of the time. Attackers can fail many times but have to
nothing to do with the actual “ransomware” at all, as succeed only once.

Confronting the threats of cryptojacking and ransomware 6

 SPONSORED
CONTENT

Software alone can’t solve the problem

The security software market is estimated to generate to improve attacks or pinpoint weak defenses. Some “The ROI
$224 billion in revenue annually, but that’s cold com- even offer ransomware-as-a-service, which provides sub-
fort to individuals and organizations that have suffered scriptions to proven tools and techniques that allow even on avoiding
malware infections. According to a Cisco report, 69% unsophisticated attackers to launch potent assaults.
of organizations experienced some level of unsolicited potential data
Commonly deployed detection techniques like static
cryptomining in 2020, and 50% of organizations encoun-
tered malware-related activity.
signatures, static/behavioral “honey pot” files, and behav- breaches and
ioral file I/O all have bypasses exploited by ransomware
Willie Sutton was reputedly once asked why he robbed using delayed arbitrary starts, avoiding hidden folders, hacks can
banks and responded, “Because that’s where the money
is.” Cyber criminals are similarly motivated to seek out
using multiple threads for faster execution, and using
memory mapped I/O for file encryption.
easily justify
targets where they can reap the most damage or collect
Software-based endpoint detection and response (EDR)
the cost of
the biggest payouts.

After the Colonial Pipeline attack, the U.S. Department

solutions are designed to help organizations find, contain,
and remove threats quickly. But EDR solutions are typi-
upgrading
of Justice gained wide acclaim after it announced it was cally reactive; enterprises need proactive security. equipment,
able to recover $2.3 million of the ransom payment. But
that recovery barely puts a dent in the ill-gotten gains
The built-in, hardware-based security features of today’s without
Intel processors provide a more secure foundation with
from this type of assault.
protection against attacks below the operating system, waiting for the
“Despite authorities’ recent success in busting several ran- coupled with remote recovery capabilities. That in turn
somware gangs, this particular breed of malware has prov- can help endpoint security solutions harness CPU telem- typical 3-5
en to be a hydra—cut off one head and several appear in
its place—and all signs are that the coming decade will be
etry and hardware acceleration to identify threats and
detect anomalous activity.
year refresh
no less problematic,” Cybersecurity Ventures warned.
Unfortunately, many enterprises continue to operate old cycle.”
Security solutions such as antivirus software detect new technology that is more susceptible to attacks. A report
—J. Gold Associates report
attacks based on heuristic rules that distinguish malware by J. Gold Associates estimates that “at least 35% of
from nonvirus code. Another widely used technique enterprise endpoints deployed at the start of the pan-
scans all files in computer memory to identify potential demic were ‘old tech’ that were at least three generations
viruses. But cyberattackers are constantly tweaking code behind the current offerings, and therefore much more
to avoid detection, and many swap tips and techniques likely to be a security risk.”

Confronting the threats of cryptojacking and ransomware 7

 SPONSORED
CONTENT

Software security solutions

strengthened with Intel hardware features
Intel vPro® Enterprise for Windows comes equipped with Intel® Hardware Shield to
deliver built-in security below the OS, application, and virtualization layers, and provides
advanced threat detection capabilities including Intel® Threat Detection Technology (TDT).

Intel TDT gives software security solution providers a real-time, hardware-based signal
that makes detection more proactive. CPU-level, real-time telemetry enables Intel TDT
to track encryption at the lowest level, while machine learning (ML) heuristics allow Intel
TDT to single out ransomware from other encryption behavior.

Intel TDT detects ransomware and other threats that leave a microarchitectural
footprint on the CPU and can be analyzed with telemetry from the performance
monitoring unit (PMU). The Intel PMU sits beneath applications, the OS, and
virtualization layers on the system and delivers a more accurate representation of active
threats systemwide.

Intel CPUs come with an integrated graphics controller (GPU), and Intel TDT can be
used to offload ML inference processing and security vendor workloads such as
advanced memory scanning (AMS). Memory scanning techniques have been shown to
be effective in identifying threats, but often go unused because of their performance
overhead, but when certain real-time memory-scanning operations are migrated to the
GPU, threat detection is enhanced without decreasing performance, impacting the user
experience, or reducing battery life.

With the industry’s first silicon-enabled AI threat detection1, software security providers
can accelerate performance-intensive AI security algorithms without impacting the CPU.

Intel is “unlocking capabilities in its system-on-a-chip offerings that fundamentally

change the ability of security vendors to implement security,” says IDC.

1
The Intel vPro platform delivers the first and only silicon-enabled AI threat detection to help stop ransomware and cryptojacking attacks for Windows-based systems. Intel TDT Anomalous Behavior Detection (ABD) is a hardware-based control flow monitoring and anomaly detection
solution able to monitor business apps for early indicators of compromise, leveraging the Intel CPU to build dynamic AI models of “good” application behavior. See www.intel.com/PerformanceIndex (platforms) for details. No product or component can be absolutely secure.

Confronting the threats of cryptojacking and ransomware 8

 SPONSORED
CONTENT

Real-time threat detection

When detecting threats in real-time, Intel TDT sends a high-fidelity signal that
can trigger remediation workflows in the security vendor’s code.

Intel TDT can parallelize multiple concurrent detectors at once so security

vendors can run more scans—increasing efficacy while helping to lower false
positives. Intel TDT issues no specialized efficacy or performance reports;
rather, the data is seamlessly incorporated as a part of normal endpoint
sensor reporting.

The Intel TDT technology works alongside Intel Hardware Shield components
to provide integrated hardware-based protection that includes advanced threat
detection, application and data protection, and below-the-OS security. Intel
Total Memory Encryption encrypts all memory-resident data at the silicon level
to help protect data in memory from cold-boot attacks, while Intel Control-
Flow Enforcement Technology provides hardware-based protection against
multiple classes of control-flow attacks.

Confronting the threats of cryptojacking and ransomware 9

 SPONSORED
CONTENT

More agile and data-driven cyberdefenses

The best enterprise security solutions capture real- Intel 10th Gen and newer Intel Core processor-based PCs
time data from myriad sources and use it to identify are out-of-the-box capable to leverage Intel TDT CPU
rapidly evolving threats. Platform telemetry is becoming behavior monitoring and threat detection in conjunction
one of the most valuable sources of such data. When with security vendors that have integrated the capability
combined with machine learning, memory scanning, into their endpoint protection software. Intel TDT is
and other hardware-enhanced capabilities, it can enabled by leading security vendors, including Microsoft
significantly increase protection of IT systems. Defender, SentinelOne Singularity, and Blackberry Optics,
with more providers currently working to enable their
The raw data that Intel TDT analyzes helps identify
solutions to take advantage of these new capabilities, and
targeted attacks including polymorphic malware and
Intel has a roadmap of future detectors.
cryptomining in real-time with minimal end-user impact.
Intel TDT enables developers to incorporate these The continuing evolution of security threats requires
capabilities to extend their own threat detection solutions extraordinary measures of protection. Intel has built
and uses ML heuristics to monitor malware activity at the a suite of technologies to execute a defense-in-depth
CPU level with minimal false positives. Security solution strategy that recognizes every component—from
developers can leverage the Intel technology and tune software to silicon—must work in concert to help
configuration parameters for the optim balance of secure data and maintain device integrity.
efficacy, false positives, and performance.

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.
Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available updates. See Performance Index for configuration details. No product or component can be absolutely secure.
Your costs and results may vary.
Intel technologies may require enabled hardware, software or service activation. No product or component can be absolutely secure. Your costs and results may vary.
@Intel Corp. Intel, the Intel logo, Intel vPro and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.

Click here to learn more about Intel TDT and how how Intel vPro Enterprise for Windows
delivers the performance, security, manageability, and stability to help propel your business safely.

Confronting the threats of cryptojacking and ransomware 10