News headlines constantly remind us of the volume of cyberattacks targeting major retailers, banks, hospitals, and individuals like you and me. Some of these attacks involve a high level of complexity, but until recently most have been fairly basic—recycled from older malware and repurposed by attackers for different goals. That’s all starting to change now.
You may have heard of ransomware, a type of malware that has ensnared victims worldwide and cost them billions of dollars. You may have also noticed the hype surrounding cryptocurrencies; countless people have bought into the craze, speculating that the values of these digital currencies will rise quickly and make them rich. Well, if you combine the idea of ransomware – and related forms of malware – with the idea of cryptocurrency, you get a whole new and sophisticated type of cyberattack: cryptojacking.
Cryptojacking is an attack that combines the malware used for mining cryptocurrencies with malware that allows those mining activities to run undetected. This type of attack allows a hacker to hijack the processing power of a target system (or a collection of systems) in order to mine cryptocurrencies.
Wait up – just what is cryptomining? In short, it’s the process of identifying and verifying transactions involving cryptocurrencies, such as bitcoin; miners use powerful computers and software to track these transactions, and in return are paid fees in newly minted cryptocurrency. The process can be lucrative, but it requires a lot of computer power and related resources. And that’s why some unscrupulous miners have resorted to cryptojacking.
The allure of cryptomining stems from the exponential rise in value that many cryptocurrencies have experienced, making some cryptominers quite rich in a very short period of time. This digital gold rush has led to a virtual stampede—including both legitimate miners and criminal organizations—into the cryptomining arena. At the same time, the success of ransomware and the rise in cryptocurrency values has led to the rapid spread of cryptomining malware, much of it adapted from earlier forms of ransomware, across the globe.
Cryptojacking attacks can be initiated in a variety of ways; one common method is through phishing, where a victim is tricked into clicking on a link in an email. Once the link is clicked, the victim unwittingly loads the cryptomining malware code onto his or her browser. In-browser cryptojacking is growing quickly, increasing by 31 percent in 2017. In addition, many ransomware programs have been re-tooled to work in cryptomining schemes.
In addition to in-browser attacks, an attacker can inject code directly into an online ad that is shown on many websites, or into a single website. Attackers may simultaneously use the in-browser, online-ad, and website techniques to maximize mining effectiveness.
Victims of cryptojacking will often notice only a slight degradation in processing power—but organizations can wind up spending significant resources tracking down the reason for their systems’ sluggish performance. These organizations may even end up replacing parts that they think might be broken, not realizing that they are infected.
Cryptomining malware has targeted a variety of different operating systems and cryptocurrencies, using multiple infection techniques and revealing a versatility not typical for a new type of malware attack. And, unlike traditional ransomware, cryptojacking will continually bring in money to an attacker, with relatively low risk. By contrast, ransomware is usually a “one and done,” short-term transaction, where the attacker has to keep moving on to a smaller and smaller pool of new victims.
Given the rapid successes attributed to cryptojacking, and its ability to provide long-term profits for hackers, experts theorize that it will be around for a while. And cryptojackers have plenty of ways to make sure they stay in business.
An attack can be difficult to detect or trace, as the online-ad and website injection techniques do not require the infected script to be stored on a victim’s system. Cryptojackers also like to make their scripts as stealthy as possible, providing the ability to evade antimalware scans. Mining scripts can also re-infect a system and linger for long periods of time. Programs may wait to mine during off-hours, or use just a small fraction of CPU power, so that no alarms are raised. And they can maintain these activities for months, or years, leading to higher electric bills and higher costs to replace equipment that overheats or breaks down from excessive use.
Organizations can use a variety of tools to detect whether IT systems have been infected with cryptojacking malware. Coinhive is the most widely used cryptomining program, with CoinImp, deepMiner, and Crypto-Loot following close behind. Each of these programs has a distinct signature that can be detected and blocked. When in doubt, ask an expert familiar with cryptojacking to find and remove the malware; don’t try to do it yourself, as some mining software will crash a victim’s computer when it detects that the user is trying to remove it.
There are many other mining-program variants that have been appearing on a near-daily basis, so security managers need to be vigilant to protect their networks against infection. Resources such as CoinBlockerLists, maintained by ZeroDot1, contain updated lists of domains that are linked to cryptojacking programs. These domains can be added to a blacklist and denied the ability to access a network.
Network monitoring tools are also effective in detecting cryptojacking malware. Finally, dedicated anti-mining extensions can be installed on browsers and ad-blocking software can effectively block mining programs. These tools should be used in conjunction with the other methods we’ve already discussed.