Symantec: Look for cryptojacking to tie into IoT devices

Internet-connected devices are becoming an attractive target for hackers looking to use their processing power to mine cryptocurrency.
IoT cryptojacking

In its newest yearly report, cybersecurity giant Symantec says internet-connected devices are becoming an attractive target for hackers looking to hijack processing power to mine cryptocurrency.

The Internet Security Threat Report, which looks back on threat trends for 2017, states cryptojacking — co-opting unsuspecting users’ CPU power to mine cryptocurrency — was one of the biggest growth areas in cybercrime last year.

Combine that threat with an overall increase in attacks on devices that make up the Internet of Things, and there is now a wide new target for criminals to potentially exploit for financial gain.

“Symantec already found a 600 percent increase in overall IoT attacks in 2017, which means that cyber criminals could exploit the connected nature of these devices to mine en masse,” the report says.


The company has seen some instances of connected devices being used to mine for cryptocurrency, according to Kevin Haley, director of Symantec Security Response. He anticipates growing instances of cryptomining via IoT devices in the future.

“The processing power is even less than a browser-based [cryptojacker] or what a laptop can do, but there’s so many of them and they’re so poorly protected that I can get use of them,” he said. “Each makes a fraction of a penny, but if I’ve got enough of them, the money will be significant.”

Symantec’s research backs up other findings CyberScoop has reported on, including that cryptojacking programs are the most prevalent malware currently online.

Over the course of 2017, file-based detections of coinminers increased by 8,500 percent, the report said.

“We used the word ‘explode’ and I think it’s kind of appropriate,” Haley said.


Overall coinmining activity increased by 34,000 percent over the course of the year, the report found. But that number may be inflated somewhat “as network-based detections may block and count multiple attempts to conduct coinmining from the same device,” Haley said.

Cryptojacking attacks, he said, “really started in the fall of 2017, so they kind of came out of nowhere.”

Symantec blocked more than 8 million coinmining events in December 2017 alone, according to the report.

“Cyber criminals who have been firmly focused on ransomware for revenue generation are now starting to explore other opportunities,” the report says. “During the past year, the astronomical rise in cryptocurrency values inspired many cyber criminals to shift to coin mining as an alternative revenue source.”

It’s also a “less disruptive” way to earn income, Symantec notes, adding that it’s harder for criminals using ransomware to “fly under the radar” as opposed to using a cryptojacker.


“These guys did a basic cost-analysis and said ‘Well if I’m using somebody else’s hardware and somebody else’s electricity it’s all gravy,’” Haley said. “’I may not make a lot from any one machine, but if I can get lots of them then I’ll make enough to make it worth my while.’ ”

Ransomware is so 2016

The report says the immense coverage of the WannaCry and NotPetya attacks brought a heightened focus on ransomware-style attacks, and “masked the first indications of a shift in the ransomware landscape in particular.”

While ransomware “remains a major threat,” Symantec said it appears some criminals have moved away from the practice.

“We’re kind of talking about this as a market correction,” Haley said.


2017 saw fewer ransomware families and lower average ransomware demands then in 2016, “signaling that ransomware has become a commodity,” according to the report.

Symantec saw an “incredible” increase in 2016 in the number of attacks, in the spread of gangs responsible for operating the malware and in the average ransomware demand, Haley said.

“A lot of people said ‘Hey, this is easy money. Let me get in on this and I’m going to ask for, on average, a thousand bucks in ransom,’ ” Haley said. “And those people didn’t get paid $1,000 because people who were willing to pay the ransom couldn’t spend that much money.”

A lot of the amateurs “went out of business” because they weren’t getting the return they hoped for, Haley said.

“They moved on to cryptojacking and to financial trojans, where they think they can make more money,” he said. “The amateurs left the market, and now it’s just the professionals. The ones that are good at it remain.”


Symantec left out WannaCry and NotPetya from its ransomware numbers because NotPetya was actually “a destructive wiper that masqueraded as ransomware,” and because both threats were “not ‘typical’ ransomware attacks.”

Haley noted that ransomware is “always going to be there,” but he said the growth seen in previous years is gone.

Another trend highlighted by the report is the prevalence of software supply chain attacks, which saw a 200 percent increase in 2017, according to Symantec.

“This has become a new standard operating procedure,” Haley said. “So that 200 percent increase we’re talking about, it really means people need to start paying attention to their software vendors and their software vendors’ security, because bad guys are looking to leverage that to get into your organization. We can’t ignore it anymore. These are not isolated incidents.”

Samantha Ehlinger

Written by Samantha Ehlinger

Samantha Ehlinger is a technology reporter for FedScoop. Her work has appeared in the Houston Chronicle, Fort Worth Star-Telegram, and several McClatchy papers, including Miami Herald and The State. She was a part of a McClatchy investigative team for the “Irradiated” project on nuclear worker conditions, which won a McClatchy President’s Award. She is a graduate of Texas Christian University. Contact Samantha via email at, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts