Iran-Backed Hackers Boost Cryptojacking, Ransomware Capabilities, iDefense Report Says

Iran turns to ransomware and cryptocurrency mining malware amid geopolitical tension, with analysts suspecting that the state is backing some groups.

Iranian hacking groups are increasing their crypto-related cyber threats, as the country is facing renewed US sanctions. A recent report by iDefense - a company owned by Accenture - found connections between actors in the country and some forms of malicious software. Moreover, researchers suspect that some of the actors are state-backed.

“The increased repurposing of popular malware by Iranian actors could  lead to the use of ransomware for destructive purposes by state- sponsored organizations,” the report noted.

It added that the US and Europe are not likely to become focus on cyberattacks from Iran, unless  the country is placed under extreme economic pressure. On the other hand, countries like Saudi Arabia, the United Arab Emirates, Bahrain,  and Israel could become target of such attacks.

While Iran’s cyberespionage is relatively well-known, local hackers seem well aware of the latest trends of cryptocurrency related activities, using both ransomware and cryptojacking.  At least two distinct types of malware - TYRANT and RASTAKHIZ - are set to come from a single source, based in the country, while several others cannot be fully verified.

The attackers are not only targeting Windows PCs, but have also moved to Android devices. This is mostly done through apps, which are not listed on the official Google Play store. The APK files, downloaded via third-party marketplaces like Myket, frequently require enabling certain permission, which is disabling protection, before they can be installed. Devices not running the latest versions of their operating systems are targeted as they are vulnerable.

Cryptojacking has reportedly seen a steady increase throughout the years, iDefence noted. Meanwhile, Monero (XMR) is gaining overwhelming popularity among unwelcome miners as it secures anonymity, while lower difficulty rate makes it easier to mine. At the same time, some mining packages, like XMRig, are easy to integrate even by inexperienced hackers.

In the past weeks, there were several reports on more sophisticated malicious software, bringing quick profit to its creators. While SamSam is one of the more precise types of ransomware, the virus affecting routers in Brazill has a broader reach. On the other hand, iDefence has identified BlackRuby as a particularly interesting type of malware, as it combines the best of both worlds, encrypting user files, while demanding a $650 ransom and adding a crypto miner.