Cryptojacking has recently exploded onto the cybercrime scene, thanks to the surge in value of cryptocurrencies such as Bitcoin, Monero, and Ethereum. Cryptojacking is an issue for business because crooks are aggressively targeting laptops, desktops, servers, and even mobile devices. From a single device to entire networks, they infect as many devices as they can to mine for cryptocurrency on, or while using other people’s computers.
Simply put, you do the work, pay for the electricity and hardware, and they pocket the rewards. Here, UK head of Sophos Adam Bradley gives his advice on what cryptojacking is and how you can fight back.
What is cryptomining?
Cryptomining is the act of validating transactions and adding to a digital ledger onto what’s called the blockchain, which will be specific to a cryptocurrency ie Bitcoin. Blockchains are a method of recording transactions that ensures cryptocurrency isn’t created out of thin air, and that people don’t cheat and spend their currency more than once – much the same way as banks do with traditional money.
With a blockchain the entire network, rather than an intermediary or individual, verifies transactions and adds them to the public ledger. Miners compete with each other to solve complex algorithms which verify the transactions and get rewarded with cryptocurrency.
What is cryptojacking?
Cryptojacking is malicious cryptomining. The basic difference is intent. Legitimate and malicious mining are the same in almost every sense except who gets paid and whether the person who owns the device performing the mining willingly chooses to participate.
Cheaper and with less chance of being traced than using ransomware, it’s easy to understand the concept of why the crooks want to use as much computing power as possible; the greater the number of devices mining for them, the greater the chance of them successfully mining cryptocurrency. The more they mine, the more they make.
There are two main ways cybercriminals get access to unsuspecting machines to perform cryptojacking; malicious JavaScript miners and native code attacks. Malicious JavaScript is the quick and easy way for cybercriminals to enslave a large number of devices. They infect a website or online advert with JavaScript code that activates as soon as the victim visits the site. This turns every browser visiting that website into a worker. The mining stops when the browser is closed, so in theory it’s easy to stop. However, how often do users actually close browsers, or are they always running the background?
Native code attacks
Native code attacks are nothing new and native code cryptominers are a particularly nasty example of an infection. The criminals will infect your devices using traditional malware means and then install cryptomining software and set your device to work. Cryptojacking malware is similar to ransomware because they use the same type of exploits and infection mechanisms to not only initially infect a device, but laterally move across the network and infect as many devices as possible.
If that’s not enough, the criminals also install a Remote Access Trojan (RAT). That means they cannot only run invisibly on your device, they also have complete control. They can delete and modify files, upload and download files, and install other malware.
Realising that cryptojacking malware is on one or more of your devices is a major concern because the mining software may be the least of your problems. How did they get in, what else they have done, or what other devices they have infected with cryptojacking or other malware have to be urgently considered.
The other dangerous thing about cryptojacking is that it’s tricky to tell whether you’ve been ‘jacked’. One way is that CPU on the device will increase to near maximum capacity and the device will slow to a crawl. The more a processor works, the more electricity it consumes, the hotter it gets.
Mobile devices can rise to ‘cooking temperatures’ and mining can drain a battery quickly, even leading to battery expansion and device destruction. Additionally electricity bills will rise, although the challenge here is often the IT team who think there’s cryptojacking happening rarely get access to the organisation’s electricity bills.
Impact on business
While there are more significant threats than cryptojacking at the moment, the impact on business can be just as costly:
- Unbudgeted operating expenses from powering computers to work for someone else
- Opportunity costs: Legitimate works gets slowed down and customers and employees may not have been able to access your services because criminals were using all your processing power
- Security risks from who-knows-what untrusted programs and network connections
- Reputational: What else did the criminals impact during the breach?
- Regulatory costs of reporting, investigating and explaining the cryptomining activity. Given the latest GDPR laws, it’s likely that any breach could have significant cost implications.
How to fight back
The best way to fight back against cryptojacking and protect your business from being ‘jacked’ is to primarily get the right technology in place:
- Block cryptojacking malware at the gateway and the endpoint, using a range of techniques including file scanning and Deep Learning
- Block websites hosting JavaScript miners
- Block the exploit techniques used to spread cryptojacking malware at every point in the attack chain
- Have 100 per cent visibility of all applications to make an informed choice about blocking them or allowing them to run
- On mobile devices stop malicious apps being installed and block known mining websites both on and off your network
- Incorporate cryptojacking awareness into user security training to ensure everyone knows what to look for and how to prevent it
- Like any cybercriminal activity, having good security hygiene in general, such as strong passwords, and high user awareness, will also help prevent many attacks.