The Rise of Cryptojacking: Prevent it, Detect it and Recover from the Malware

The Rise of Cryptojacking: Prevent it, Detect it and Recover from the Malware

As cryptocurrencies grew in acceptance as well as value and cryptocurrency mining became a lucrative business, cryptojacking has become the latest jackpot for cybercriminals. Thousands of websites globally that are operated by government agencies and the most recognized organizations are compromised by malicious con artists who harvest their victims’ CPU power for covert mining operations.  

A Significant Problem

The so-called cryptojackers make millions of dollars by targeting particular digital currencies, and they could be using your computer. The criminals use ransomware-like tactics to poison websites and in the process get your employees’ computers to mine cryptocurrencies.

This guide will help you understand their tactics, how to protect yourself and if already victims, what you can do to stop it.

According to Symantec’s 2018 Internet Security Threat Report, cryptojacking became a major cybersecurity challenge in 2017. The report analyzed data covering 700,000 global threats from 126.5 million attack sensors and monitors from 157 countries and territories. The report showed that cryptojacking, where a computer is unknowingly used for cryptocurrency mining, increased 8500 percent in 2017 alone with over 1.7 million attacks reported in December alone.  

Cybercriminals turned to cryptojacking because of its low entry barriers since they only require a few lines of code to subvert a machine. By using coinminers, cryptojackers steal a device’s power and cloud CPU usage to mine cryptocurrencies. A hijacked computer slows down, overheats easily and in some cases, it is rendered unusable. Things are worse on the organizational level because according to the report:    

“Corporate networks are at risk of shutdown from coinminers aggressively propagated across their environment. There may also be financial implications for organizations who find themselves billed for cloud CPU usage by coinminers.”

Why is there an Explosion of Cryptojacking?

You may want to think that the ongoing crypto-winter would have hindered cryptojacking attacks since the related profit margin is lower, however the exact opposite has happened.

CISCO Umbrella analysts told the RSA Conference 2019 that the volume of cryptojacking related traffic went up 200 percent.

Pundits believe that the dwindling profits related to cryptomining as a result of the bearish crypto market has made using one’s resources unprofitable, hence the switch to the mischief that is cryptojacking.

Discussing the extent of the threat, the president and chief operating officer of Symantec Mike Fey explained:

“The massive profit incentive puts people, devices and organizations at risk of unauthorized coinminers siphoning resources from their systems, further motivating criminals to infiltrate everything from home PCs to giant data centers.”

Symantec’s Director of Security response Kevin Haley added:

“Now you could be fighting for resources on your phone, computer or IoT device as attackers use them for profit […] people need to expand their defenses, or they will pay for the price for someone else using their device.”

Browser-based cryptojacking is on the rise with JavaScript miner being the most common method since it’s also used for legitimate mining activity. What’s worse, cryptojacking doesn’t require serious technical skills with kits available on the dark web for as little as $30.

Cryptojackers are willing to stick their necks on the line because they see it as a way of making more money for less risk. SecBi Co-founder and CTO Alex Vaystikh said:   

“Hackers see cryptojacking as a cheaper, more profitable alternative to ransomware […] the hacker might make the same as those three ransomware payments, but crypto mining continuously generates money.”

How Cryptojacking Works

Hackers use at least two different methods to secretly mine cryptocurrencies using victims’ computers.

The first one is tricking the victim into loading the cryptomining code onto their computers by using phishing-like tactics. A victim will receive a genuine-looking email encouraging them to click a link; once clicked, the link runs a code that embeds the cryptomining script on the computer but it runs in the background as the victim does their routine work.

The second method involves injecting a script on a website or ad that will be delivered to multiple websites. The ad pops up in the browser once a victim visits the infected website or ad and executes automatically, but in this case, no code is stored in the victim’s computer. Whatever method is used, the code will run complex mathematical problems on the victim’s computer and send the result to the hacker’s server. According to Vaystikh:

“Attacks use old malware tricks to deliver more reliable and persistent software [to the victims’ computers] as a fallback.”

Cryptojacking scripts, unlike other types of malware, don’t damage victims’ computers or their data. By stealing the victim’s CPU processing power, the slow computer performance becomes the greatest annoyance. Where organizations are the victims, the crypto-jacked system incurs real costs in terms of the time help desks and IT departments will spend tracking performance issues and replacing parts or systems hoping to solve the problem.   

Tips for Preventing CryptoJacking

The good news is that you or your organization doesn’t have to fall prey to cryptojacking. There are a few simple but necessary steps you can follow to avoid becoming a victim including the following:

  1. Include the cryptojacking threat when conducting cybersecurity awareness training, and focus mainly on phishing-like attempts that load scripts on users’ computers. Training comes in handy when the technical solutions fail.   
  2. Install ad-blocking or anti-cryptomining extensions on web browsers as most cryptojacking scripts are delivered via web ads, choose those that are specifically designed to detect and block cryptomining scripts.
  3. Use endpoint protection and antivirus software that can detect known crypto miners.
  4. Ensure that your web filtering tools are up to date; always block web pages you may have known to deliver cryptojacking scripts.  
  5. Maintain browser extension since some attackers use a malicious browser extension or poison legitimate extensions to perform crypto mining.
  6. Employ a mobile device management solution to control what users have on their devices since Bring-your-own-device policies can come with illegal crypto mining.  

How to Detect Cryptojacking

Cryptojacking, just like ransomware, can still attack despite your best efforts. Detecting may be difficult in a situation where only a few systems have been compromised, and it can even hide from the best detection tools and antiviruses. The following tips will, therefore, come in handy:

  1. Train users to identify signs of cryptomining such as slow performing computers; a surge in help desk complaints should be a red flag.
  2. Look out for a spike in reports of overheating systems which could be caused by cooling fan or CPU failures; this is especially true with devices like smartphones and tablets.
  3. Deploy network monitoring solutions which make it easier to detect anomalies.
  4. Monitor your website for cryptomining codes by regularly monitors file changes on your web server or variations on the pages. While the server may not be the target, web visitors risk infection.

Cryptomining codes and delivery methods are always evolving and you want to stay informed of cryptojacking trends. Once you know about delivery mechanisms, you will understand what you are up against.  

Tips for Responding to a Cryptojacking Attack

What should you do once you are sure that you have become a victim of cryptojacking?

The following tips should be helpful:

  • If you are dealing with an in-browser JavaScript attack, merely kill the tab running the script. Take note of the website URL where the scripts originated, and update your file filters to block it. Deploy anti-crypto mining tools to avoid further attacks.     
  • Update and purge browser extension and remove those that are infected or unnecessary.
  • Use your experience to understand how attackers were able to compromise your systems and update user, help desk and IT training to identify threats in future better and act accordingly.

The Last Word

Cryptojackers don’t respect anyone; just remember what they did to charity organization Make-A-Wish Foundation and take it as your cautionary tale. While coin providers may have to play their role in creating stricter regimes to prevent cryptojacking, you want to play your part by using deep inspection and analysis methods to detect and interpret malicious codes in real time and block threats.   

Your safety rests in ensuring all line codes are evaluated to make infiltration techniques ineffective. Once you accomplish that, your users will be a happier lot, content will flow faster and safer, and your organization will experience reduced spending.