Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

What Is Cryptojacking? Prevention and Detection Tips

IT Pros, Threat Detection

image of cryptomining on a computer monitor

We live in a digital age, with more people than ever doing most, if not all, their financial transactions and shopping online. With this also came the rise in cryptocurrencies.

Cryptocurrency was an accidental invention in 2009 by Satoshi Nakamoto (a pseudonym), who’s intent was to create a centralized cash system. Unable to achieve this, Nakamoto instead developed a digital cash system that was based on the accuracy and transparency of accounts, balances, and recording of transactions to prevent double-spending. This innovative, global technology is becoming more widely-used and accepted each year.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Bitcoin was the first cryptocurrency, allowing digital transactions to be accurately recorded. Since the creation of Bitcoin in 2009, many other cryptocurrencies have hit the market: as of December 2019, there were 2,995 different types of cryptocurrency.

Along with the financial rewards of cryptocurrency also come new threats and risks. With the increase in the different types of cryptocurrencies and their rise in value, cybercriminals are quickly shifting their focus from ransomware to cryptojacking due to the lower risk and higher potential for financial gain. Easier and less detectable than ransomware attacks, cryptojacking allows cybercriminals to use compromised computing systems and networks to mine for cryptocurrencies.

Here’s what you need to know about cryptojacking, how it affects your online security and how to protect your business and personal computers to prevent them from being used for malicious intent.

Want to learn more about cybersecurity? Check out these free security training courses and earn CPE credits too.

Must-Know Cryptocurrency Definitions

important cryptocurrency terms to know, cryptojacking, cryptomining, and blockchain

What is cryptocurrency? The concept can be confusing and complex, but to fully understand cryptojacking, it’s helpful to define the terminology behind cryptocurrency.

What is Cryptocurrency?

Cryptocurrencies are encrypted digital currencies that can be used as online payment in exchange for goods and services. These cryptocurrencies are created by combining computer programs and computer processing power in what is known as blockchain technology.

The first cryptocurrency was Bitcoin, which is still one of the most valuable digital currencies. But while Bitcoin is the most recognizable cryptocurrency, it’s not anonymous and payment activity can be traced as it moves back and forth.

Cyberhackers involved in cryptojacking typically focus their efforts on cryptocurrencies such as Monero, Ethereum, and Zcash that have higher anonymity. Cryptocurrencies have also resulted in the creation of supporting industries like cryptocurrency IRAs and crypto digital wallet businesses.

What is a Blockchain?

A blockchain is a chain of information that timestamps digital transactions so they can’t be double-recorded or backdated. The blockchain ledger is open for anyone to access. In a cryptocurrency blockchain, each of the blocks in the chain stores details and data about a transaction, including the receiver and sender, the number of coins involved in the transaction, and a cryptographic hash. These hashes are created by cryptominers using a hash function, which is a mathematical equation that converts data into a string of 64 characters.

When a user wants to send money to someone, the transaction is contained in a block, which is distributed over the network where it’s verified. After verification, the block is added to the chain and becomes a permanent record that can’t be modified, with the cryptocurrency being transferred to the receiver.

The security of blockchains comes from there being only one record of the digital transaction, rather than being recorded in two different databases, like typical online transactions.

What is Cryptomining?

Simply put, cryptomining occurs when computer processing cycles are exchanged for money (cryptocurrency). Cryptomining is the process by which cryptocurrency transactions are added to the blockchain ledger, a time-stamped record of the activity. Each time a cryptocurrency transaction happens, a cryptocurrency miner updates the blockchain and verifies that the information is authentic.

This mining process is done by cryptominers, who use high-powered computing servers and specialized hardware to compute and use a hash function that allows the block to join the blockchain, earning their own cryptocurrency in return. While cryptocurrency values are about one third of what they were a year ago, hackers can still make money by cryptojacking, stealing the computing resources of unsuspecting victims with much less risk of detection than other cybercrimes.

What is Cryptojacking?

Cryptojacking is malicious cryptomining that happens when cybercriminals hack into both business and personal computers, laptops, and mobile devices to install software. This software uses the computer’s power and resources to mine for cryptocurrencies or steal cryptocurrency wallets owned by unsuspecting victims. The code is easy to deploy, runs in the background, and is difficult to detect.

With just a few lines of code, hackers can hijack the resources of any computer and leave unsuspecting victims with slower computer response times, increased processor usage, overheating computer devices, and higher electricity bills. Hackers use these resources to both steal cryptocurrency from other digital wallets and to allow hijacked computers to do the work so they can mine valuable coins.

The core idea behind cryptojacking is that hackers use business and personal computer and device resources to do their mining work for them. Cybercriminals siphon the currency they either earn or steal into their own digital wallet by using these hijacked computers. These hijacked computers are compromised by a slowing down of CPU function and using more electricity for processing.

The Rise in Cryptojacking

cryptocurrency timeline of events

Cryptojacking has become a serious global problem, with cybercriminals gaining unauthorized entry to computer systems to make money with minimal risk and effort. Cryptojacking is on the rise, with hackers coming up with new ways to steal computer resources and mine for cryptocurrencies.

A new trend for hackers is to embed cryptojacking malware on YouTube, where it’s easy to get users to click and activate cryptomining scripts.

Let’s take a closer look at how cryptojacking started.

The Start of Cryptojacking

Cryptojacking first came to light in September of 2017 when Bitcoin was at its height. Code published by the organization Coinhive on their website, which shut down early in 2019, was intended to be a mining tool for website owners to passively earn money — an alternative to displaying ads on their site for income. Instead, cybercriminals realized they could exploit this code to embed their own cryptomining scripts. They were able to use the computing resources of visitors to the website to mine for the cryptocurrency Monero, which has since been involved in other cryptojacking investigations.

Varonis Uncovers Monero Cryptojacking

Cryptomining malware is becoming harder to detect. In a recent investigation into a cryptomining infection, a Varonis Security Research team discovered a new variant of malware that was likely being used in cryptojacking for Monero cryptocurrency. Research showed that the malware was creating network slowdowns and instability, both symptoms of cryptojacking that can be difficult to uncover.

Less Risk For Cybercriminals

Cryptojacking is becoming more popular among cyberhackers. The software used is easier to deploy and harder to detect than traditional hacking methods. Premade software programs are easy to obtain online and once a computer is infected, the cryptomining code runs behind the scenes and can remain undetected for a long period of time.

When detected, cryptojacking is very difficult to trace back to the hacker. By this time, cybercriminals have freely collected and spent their illegal cryptocurrency earnings, leaving businesses with negative consequences including slower running networks and the financial impact of their IT team having to troubleshoot computer crashes.

How Cryptojacking Scripts Spread

different cyrptojacking methods

There are three main methods that cryptojackers use to maliciously mine for cryptocurrencies: downloading malware to execute cryptomining scripts, hijacking IT infrastructure, and accessing cloud services.

File-Based Cryptojacking

With file-based cryptojacking, malware is downloaded and runs an executable file that spreads a cryptomining script throughout the IT infrastructure.

One of the most common ways that cryptojacking occurs is by using malicious emails. An email is sent containing an attachment or link that looks legitimate. When a user clicks on the attachment or link, code is executed that downloads the cryptomining script onto the computer. This script works in the background without the user’s knowledge.

Browser-Based Cryptojacking

Cryptojacking attacks can take place directly within a web browser, using IT infrastructure to mine for cryptocurrency.

Hackers create a cryptomining script using a programming language and then embed that script into numerous websites. The script is run automatically, with code being downloaded onto the users’ computer. These malicious scripts can be embedded in ads and vulnerable and out of date WordPress plugins.

Cryptojacking can also happen through a supply chain attack, where cryptomining code compromises JavaScript libraries.

Cloud Cryptojacking

When hackers use cloud cryptojacking, they search through an organization’s files and code for API keys to access their cloud services. Once access is gained, hackers siphon unlimited CPU resources for cryptomining, resulting in a huge increase in account costs. Using this method, hackers can significantly accelerate their efforts of cryptojacking to illicitly mine for currency.

How Does Cryptojacking Work?

These three methods above allow hackers to steal cryptocurrency from unsuspecting victims by using their resources for their personal gain. Here are the mechanics and steps behind the cryptomining process:

1. Compromise an Asset to Embed Script

image of the cryptojacker compromising an asset and spreading that asset

Cyberhackers, also known as threat actors, compromise an asset by embedding cryptomining code using one of the three methods above.

2. Execute Cryptomining Script

image of the cryptojacking script being implemented

Once embedded, cryptojackers are counting on victims to execute the script. Users either click on an attachment or link to execute and run the cryptomining script or browse to a website with infected ads.

3. Cryptomining Begins

image of the cryptojacker running the malicious script

After being executed, the cryptomining script runs in background, without the knowledge of the user.

4. Solving Algorithms

image of the cryptojacker hijacking a device to mine for them or intercept currency

The script uses computer power to solve complex algorithms to mine what is called a “block.” These blocks are added to a blockchain, the technology which stores digital information about cryptocurrency.

5. Jackers Receive a Cryptocurrency Reward

image of cyrptojacker receiving the stolen cryptocurrency

Each time a hacker adds a new block to the chain they receive cryptocurrency coins. Without very little work or risk, these threat actors are able to gain reward in cryptocurrency that they can anonymously put directly into their digital wallets.

How to Detect Cryptojacking

tips to detect cryptojacking

Cryptojacking has the potential to affect your entire business operation. Detecting which of your systems have been compromised can be difficult. The code in cryptomining scripts can easily evade detection which means you and your IT team need to be extremely vigilant.

Here are some of the methods you can use to detect cryptojacking before it’s too late.

Decrease In Performance

One of the top symptoms of cryptojacking is a decrease in performance in your computing devices. This includes desktops, laptops, tablets, and mobile devices. Slower systems can be the first sign of cryptomining – educate your employees to report any decrease in processing to IT.

Overheating

The resource-intensive process of cryptojacking can cause computing devices to overheat. This can lead to computer damage or shorten their lifespan. Also related to overheating devices are fans that run longer than they should in an attempt to cool down the system.

Check CPU Usage

Have your IT team monitor and analyze the central processing unit (CPU) usage, or you can do it yourself for personal computers. This can be done using the Activity Monitor or Task Manager. If there’s an increase in CPU usage when users are on a website with little or no media content, it’s a sign that cryptomining scripts may be running.

Monitor Websites

Cybercriminals are looking for websites where they can embed cryptomining code. Regularly monitor your own websites for changes to webpages or any files on the web server. This early detection can prevent your systems from being compromised by cryptojacking.

Be Aware of New Cryptojacking Trends

Cybercriminals are always modifying code and coming up with new delivery methods to embed updated scripts onto your computer system. Being proactive and staying on top of the latest trends can help you detect cryptojacking on your network and devices.

Reliable crypto-news sources include:

  • CoinDesk – CoinDesk is one of the leading sources for up-to-date information about cryptocurrency, blockchain technology, and security risks.
  • TodayOnChain – TodayOnChain provides reliable information about crypto-news, including different types of cryptocurrencies and security risks.
  • CryptoSlate – CryptoSlate regularly updates with articles related to cryptocurrency and blockchain, including the latest trending news.

Scan For Malware

Malware created for cryptomining uses up system resources much the same as cryptojacking scripts. Similar to CryptoLocker, malware can be used to infect computers, encrypt files, and hold them for Bitcoin ransom. Using your security software to scan for malware can help identify these malicious scripts. You can also use software such as PowerShell to detect a cryptojacking attack.

How to Prevent Cryptojacking: Tips and Tactics

cyptojacking prevention tips

Although it’s difficult to detect when your computer system has been compromised by cryptojacking, there are some preventative measures you can take to protect your computer and networking systems and your own crypto-assets:

Train Your IT Team

Your IT team should be trained to understand and detect cryptojacking. They should be well aware of the first signs of an attack and take immediate steps to investigate further.

Educate Your Employees

IT teams need to rely on employees to let them know when computers are running slowly or overheating. Employees also need to be educated in cybersecurity, such as not clicking on links in emails that execute cryptojacking code and only downloading from trusted links. The same rule applies for personal email on your own devices.

Use Anti-Cryptomining Extensions

Cryptojacking scripts are often deployed in web browsers. Use browser extensions to block cryptominers across the web such as minerBlock, No Coin, and Anti Miner.

Use Ad-Blockers

Web ads are common places for cryptojacking scripts to be embedded. Using an ad-blocker can both detect and block malicious cryptomining code.

Disable JavaScript

When browsing online, disabling JavaScript can prevent cryptojacking code from infecting your computer. Keep in mind that disabling JavaScript will block many of the functions you need when browsing.

To save an annotation of the topics we explored download or share the infographic below:

click to download infographic button

Use the tips and guidelines here to be aware of cryptojacking and what it means to you and your business. If your computer network has been attacked by cryptojacking, it’s time to take a closer look at the strength of your security. Varonis has anti-ransomware software and services your organization needs to stay alert and protected against malicious cryptomining.

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.