Despite price fluctuations of Bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.
The good news for cryptocurrency is that the model is an established fixture in global finances. It’s highly portable, holds value, is tradable for products and services, and is gaining popularity among mainstream consumers.
It can also be a rewarding investment tool if you’re truly adventurous. Of course, fortunes are won and lost in a wink of an eye as many cryptocurrency issues (e.g., Bitcoin, Ethereum, Cardano) are highly volatile, with values sometimes soaring to astronomical highs and plummeting into white-knuckle lows within days or weeks. However, there are other less scary ways to invest in the currency, and it is gaining enough popularity to form emergent marketplaces in the global economy. One of them is called “cryptomining.”
What is Cryptomining: An Explainer
Cryptomining is a process that validates cryptocurrency transactions in distributed public ledgers. Each transaction is linked to the previous and subsequent transactions, creating a blockchain chain of time-stamped records.
This is one way that a cryptominer may participate in cash activity without having to invest in the currency. For example, if you mine for Bitcoin, you receive Bitcoin as compensation for completing blocks of verified transactions added to the blockchain. It takes about 10 minutes to process a single block of Bitcoin with payment set around 5-7 BTC (Bitcoin) per block.
All you need is a little knowledge about connecting to the cryptocurrency network, a reliable connection to the Internet, one or two decent servers, and a steady power supply. The more server power you can enlist for your cryptomining operation, the more money you generate.
But there’s a twist to this process, and this is where the bad news comes in. Miners only earn cash when they complete the data process faster than others; and there are literally, hundreds of miners trying to process the same block simultaneously. For that reason, miners are constantly looking for ways to scale up their hashrate (a metric for computational power). The more hashes produced each second, potentially the more money you make.
The question is, how do cryptominers maximize their computational power without the heavy investment of new servers, bandwidth, and electricity? The unfortunate answer: they turn “cryptojacking.”
Why Cryptojacking is on the rise.
Cryptojacking is cryptomining, but now the miner is using someone else’s computer without permission. Victims usually have no idea that their computers have been slaved into this kind of use, often through the introduction of malware or other unauthorized access.
In April 2018, SonicWall started tracking cryptojacking trends. Back then, the company recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. But as reported in the Mid-Year Update to the 2021 SonicWall Cyber Threat Report, as crypto currency prices hit new highs during the first half of 2021, cryptojacking incidents soared to 51.1 million, increasing nearly 400% since 2018.
Unlike ransomware which relies on the visibility of phishing emails and messages, cryptojackers do their work invisibly in the background. The only sign you may get that one lurks in your computer is by monitoring a CPU performance graph or noticing that a device fan is running harder than usual.
Anecdotally, over the last two years, we’ve noticed that ransomware teams tend to switch to other activities like cryptojacking. One apparent reason they change is that the return on investment for a ransomware scheme and strain (that took months of development work) diminishes as soon as it ends up on public feeds like VirusTotal.
Like anyone else running a profitable business, cybercriminals tend to be agile and flexible about their work. As a result, they’re actively searching for different ways to fulfill their financial targets. Cryptojacking adds agility and is relatively easy to deploy with their other criminal activity.
The allure of cryptomining.
With such low cost and practically zero risks, cybercriminals see many strong incentives to engage cryptomining as a base business model. Much of the operation itself is automated through software. If a cryptomining team can infect ten machines, their potential net gain could be $100/day, so the challenge for cryptojackers is three-fold:
- Find targets, namely organizations with many devices on the same network, especially schools or universities.
- Infect as many machines as possible.
- Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).
Cryptojackers use similar techniques as malware to sneak onto an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.
Am I infected by cryptojackers?
Cryptojackers are interested in your processing power. They trade a little of their stealth for their need to make a profit. So how much of your CPU resources they take depends on their objectives. Siphoning less computing power makes it harder for unsuspecting users to notice; stealing more increases their profits. Of course, there will be a performance impact in either case, but if the threshold is low enough, it is challenging even for experienced IT managers to distinguish a jacking operation from legitimate software processes.
Enterprise administrators may look for unknown processes in their environment, and end-users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.
How to defend against malicious cryptominers.
The first step in defending against cryptominers who turn to jacking is to stop this type of malware at the gateway through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.
Since people like to reuse old code, catching cryptojack malware is relatively simple. However, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques as hackers develop more tools and deepen their sophistication. In addition, cryptojacking could still become a favorite method for malicious actors because of its concealment threshold; low and indirect damage to victims reduces chances of exposure and extends the useful lifespan of a successful attack.
If the malware strain is unknown (new or updated), it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.
The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.
If you have an endpoint not behind this typical setup (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.
Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.
A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and shut down the operation. Then, an administrator can quickly quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware is executed.
By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest malware forms no matter the trend or intent.