What Is Cryptojacking? Prevention, Detection, and Recovery
Cryptojacking is a combination of a malware attack and exploitation of co-opted computer resources. Malware is used to gain access to computers or mobile devices for use in cryptomining for cryptocurrency.
Compromised systems are used to provide power and compute resources for cryptomining. Cryptomining bots commonly enslave multiple systems, creating a botnet that mines for cryptocurrency.
What Is Cryptocurrency?
Cryptocurrency is a form of digital money. It only exists online, with no physical presence. It is used as currency to exchange online for goods and services. Cryptocurrency can be purchased or earned through cryptomining, which involves using a computer to solve complex, encrypted math equations, or hashes, in return for units of currency.
Cryptocurrency comes in units known as coins. These coins exist as records of transactions in multiple databases that reside simultaneously across a decentralized network of many computers that manage and record transactions using blockchain technology.
|Blockchain at a Glance|
In lieu of oversight by a government or central bank, cryptocurrency relies on a distributed ledger, the most common of which is a blockchain. It is a system of recording information that uses encryption and timestamping to make it difficult or impossible to alter or hack records.
A blockchain is essentially a digital ledger of transactions that is duplicated and distributed across the entire network of computer systems that reside on the blockchain. The blockchain retains a detailed history of each digital transaction to protect the coins and keep them from being used more than once by the same person.
There are hundreds of cryptocurrencies, and each has a unique coin or token. According to Forbes, the top ten cryptocurrencies are:
- 1. Bitcoin (BTC)
- 2. Ethereum (ETH)
- 3. Tether (USDT)
- 4. Binance Coin (BNB)
- 5. Cardano (ADA)
- 6. Dogecoin (DOGE)
- 7. XRP (XRP)
- 8. USD Coin (USDC)
- 9. Polkadot (DOT)
- 10. Uniswap (UNI)
In addition to these popular cryptocurrencies, companies also issue their own cryptocurrencies or tokens. Those specialized cryptocurrencies can only be exchanged for each companies’ goods or services.
What Is Cryptomining?
Cryptomining, also known as cryptocurrency mining, is the process by which transactions between cryptocurrency users are verified, or new blocks are generated and added to a blockchain. Multiple cryptominers compete to solve the hashes that will, in turn, validate a particular transaction. The first to solve the problem is rewarded—usually with a fee associated with the verification or the newly-created cryptocurrency.
The cryptomining process requires solving extremely complex problems (i.e., hashes)—basically overcoming the encryption by figuring out the password. Once the encryption is cracked or solved, other users on the network must verify it.
Once verified, the solution is certified by the system as legitimate, and whoever solved it is rewarded with cryptocurrency. Also, those who were involved in verifying the solution’s validity receive a reward.
While any computer can technically be used for cryptomining, powerful systems are required to be competitive at cryptomining activities. This is because of the strong encryption used with cryptocurrencies. Because multiple cryptominers can work on a transaction, but only one will receive the reward, there is motivation to find maximum processing power, in order to cryptomine faster.
Cryptominers use coinminers to mine cryptocurrencies. While these tools have legitimate uses, they are commonly deployed through malware for cryptojacking.
What Is Cryptojacking?
Cryptojacking is when an attacker, or hacker, gains unauthorized access to a device and uses it to power their cryptomining efforts. By employing cryptojacking, cryptominers, or coinminers, are able to mine for more transactions faster. However, the cryptojacked system will increase its power consumption, and the cryptomining activities will slow the device’s processing capabilities—sometimes causing the system to fail.
Coinminer malware works undetected on compromised systems. The malware does not aim to steal data or blackmail the user, but instead remains in the background as long as possible, in order to carry out mining stealthily. To do this, the malware uses resources from the infected computer, such as the processor, graphics card, and main memory, as well as its network bandwidth.
Malicious coinminers are used to mine for cryptocurrency in several ways, including the following:
- Executables (e.g., *.exe files) are placed on the computer and directed to mine cryptocurrencies.
- Browser-based coinminers work as long as a browser remains open on an infected website—some are created for the sole purpose of cryptojacking, and others are co-opted without the website owner's knowledge or consent.
- Advanced fileless miners maliciously do their work in a computer's memory, taking advantage of legitimate tools like PowerShell.
How Cryptojacking Scripts Spread
The favored approach for cryptojacking devices is using malware. Users are enticed to click on a malicious link or attachment, and the cryptojacking process begins. The attacker gains access to the device and deploys cryptojacking scripts on that system and spreads them to other systems using worm malware.
Drive-by cryptomining is another way cryptojacking scripts spread. This is the browser-based attack noted above.
Cryptojacking scripts spread through API keys as well. These are used to access cloud services and harness those resources to power their cryptomining activities.
Cryptojacking Prevention—Protecting Systems
Following are several techniques used for cryptojacking protection. Used in combination, these techniques help prevent cryptojacking attackers from successfully setting up a cryptomining operation.
A few basic steps to defend against cryptojacking are:
- Avoid unsecured websites (i.e., those with no SSL certificate)
- Create website whitelists and blacklists
- Do not click on links or attachments from unknown senders
- Educate employees about how cryptojacking works and its related risks
- Implement a strong password policy
- Install software updates and patches
- Only download extensions and software programs from trusted providers
- Use technology to your advantage, including:
- Ad blockers
- Anti-malware tools
- Anti-virus tools
- Application controls on servers
- Endpoint protection
- Intrusion detection systems (IDS)
- Mobile device management (MDM) tools
- Next-gen firewalls
- Virtual private networks (VPN)
- Web filtering tools
Cryptojacking Detection—What to Look For
It is often difficult to detect cryptojacking, because coinmining tools operate almost invisibly in the background of legitimate processes. Indications that a system has been compromised and is being used for cryptojacking include:
- Battery draining more quickly than normal
- Computer’s fan running faster or more frequently than usual
- Device overheating or feeling much hotter than usual
- Increased processor usage and higher electrical bills
- More frequent computer crashes or unusually poor performance
- Spikes in CPU usage
Cryptojacking Recovery Tactics
In the event that a device or network is compromised by a web-based cryptojacking attack, a number of steps can be taken to stop the cryptomining.
- Kill the browser tab that’s running the crypto mining script.
- Update browser extensions.
- Disable all website-delivered scripts.
- Delete and remove all extensions.
- Run an antivirus scan to detect and eradicate malware.
Preventative measures noted in the section above should also be implemented once the cryptojacking attack has been stopped and remediated.
Avoid Cryptojacking by Being Aware
Awareness is a critical step in preventing cryptojacking. Not only is it important to pay attention to systems and look for signs of compromise, it is also imperative to understand how and why crytopjacking persists.
The lure of “easy” money is too tempting for cybercriminals to ignore. And the abundance of tools available makes the bar for entry very low.
The threat of cryptojacking extends from petty thieves to global crime syndicates. In the event of a compromise, it pays to take the time to understand what happened (and why) to help prevent future occurrences.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 10th October, 2021