Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Using FLIR in Incident Response? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Using FLIR in Incident Response?

Take a look at a few lines...

Frist the going rate of a bitcoin:

Next the going rate of monero:

Both are seeing a lot of gains.  How is their performance related to each other?

Here are a few more lines to look at...

The Google Webtrends for the search term "ransomware":

Now the trends for the term "bitcoin":

And the trend for the term "monero":

The peak interest in "ransomware" searches is in May 2017 back when Wanacry was making a lot of noise.  NotPetya hit in June/July of 2017 and that seems to have been ransomware stopped losing its appeal for criminals.  Because NotPetya was a wiper and not actual ransomware, confidence that you would get your files back if you paid the ransom eroded.  Ransomware hasn't disppaered, but it has dropped in popularity.  (There appears to be more money to be made helping people launch ransomware attacks than actually launching attacks see: https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/)

Perhaps criminals don't want the amount of attention that incidents like wanacry or NotPetya generated.  Maybe they feel bad about the unintended consequences of locking down a hospital's computer system?  Or maybe there's just more/easier money in finding unused/poorly-secured resources to generate cryptocurrencies.

Crypto miners seem to be the payload du jour.  While writing this down, reader Chis shared the miner that was dropped on one of their servers.  The ad hoc bash script used indicates that there's a bit of red-on-red violence in the ilicit mining scene.  It also seems to be profitable, it looks like the pool used in this instance has generated a dozen or so monero units (is that the right term?) so far.

In response to this trend I'm adding an FLIR camera to my Incident Response jump kit.

Kevin Liston

290 Posts
ISC Handler
Off Topic, but why is the diary navigation so incredibly broken? This article here is less than a day old, and the "previous thread" link takes me to "Free Bitcoins" #22752 which is half a year old, and the previous thread link on that page takes me back almost 5 years.. how hard is it to make the links actually point to the next-oldest diary entry?
Kevin Liston
41 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!