As the value of cryptocurrencies soared last year, so too did cryptojacking, in which criminals use hacked computers to mine for new crypto coins. Although not as damaging as some other forms of malware, cryptominers can degrade a device’s performance and, if undetected, can alert criminals to an insecure network.
What is cryptojacking?
Cryptojacking is a type of cybercrime in which a hacked computer is used to mine for cryptocurrency.
Many cryptocurrencies, including Bitcoin, allow anyone to mint new coins by performing compute-intensive cryptographic calculations, a process known as ‘mining’.
This has led enterprising criminals to develop and distribute cryptomining malware which, when loaded onto a compromised device, mines for new coins. “You’re hijacking someone else’s machine, their processing power, the battery life and their memory to mine cryptocurrency,” explains Daniel Almendros, cyber threat intelligence analyst at Digital Shadows.
Various methods for measuring cryptojacking reveal an upward trend. Network security provider SonicWall detected 51.1 million ‘attacks’ in the first half of 2021, a 23% increase compared to the same period of 2020. Anti-malware software provider Malwarebytes, meanwhile, detected a 300% increase in cryptomining malware last year.
One reason for this uptick is the growing value of cryptocurrencies, says Dmitriy Ayrapetov, SonicWall’s VP of platform architecture, which makes cryptojacking more lucrative. The combined value of all cryptocurrencies grew by 185% in 2021, according to the World Economic Forum, although bitcoin has slumped since the start of this year. Malwarebytes's Mark Stockley agrees: the uptick, he says, "is probably just a matter of economics".
How does cryptojacking work?
Cryptojacking malware is often designed to mine Monero, a cryptocurrency popular among cybercriminals. While mining bitcoin today requires specialist hardware and access to cheap electricity, Monero can be mined on ordinary computers, says Brian Carter, senior cybercrimes specialist at blockchain analytics provider Chainalysis. “Monero is specifically designed to be mined with an ordinary CPU,” he explains.
The currency also lends itself to illicit mining as the wallets are particularly hard to track, says Almendros. “Monero is definitely popular because it is a privacy-oriented coin," he says. "It's incredibly difficult to track its wallet addresses, the IRS has a several hundred thousand bounty for anyone who can crack it.”
In the early days of cryptojacking, criminals would seek to load a single miner onto an individual machine. But this is slow and easily detected, as it has a noticeable impact on that machine’s performance.
Now, cryptominers are distributed across multiple compromised devices, says Almendros. "The way it's done now is more en masse," he explains. "Instead of just setting up one miner on one host, a load of hosts mine at a lower intensity meaning you're less likely to be detected.” This makes networks of connected computers – such as a company’s data centre or local area network – appealing targets.
Cryptomining malware is increasingly distributed by botnets, according to research by security vendor Darktrace. Botnets are the “vehicle of choice to deliver cryptomining malware,” the company says, as they allow criminals to harness the processing power of hundreds, or even thousands, of machines. Darktrace predicts an uptick in cryptojacking attacks distributed by botnets, particularly after last year’s crackdown on bitcoin farms in China.
These botnets typically target vulnerabilities in internet-facing systems such as web servers, VPN gateways, or cloud application delivery platforms. Many of the vulnerabilities that cryptojacking botnets exploit are widely unpatched, says Ayrapetov. The Lemon Duck mining botnet, for example, compromises targets through a group of vulnerabilities in Microsoft Exchange Server called ProxyLogon.
"There are a lot of companies that have exploits like ProxyLogon and have not fully patched for it,” Ayrapetov explains. “If they're public-facing, if they have exposed machines, attackers can use scanning tools to see who's got open ports, who's vulnerable."
Cryptominers themselves are not the most damaging kind of malware a business might encounter, as they aren’t designed to extract data or extort their victims. When the Log4J vulnerability was publicised in December last year, many of the first exploits were cryptominers. This may have been beneficial, David Washavski of Israeli security company Sygnia told Tech Monitor at the time, as it may have alerted victims that they were compromised without inflicting much harm.
However, cryptominers can be used as ‘scouts’ that help criminal gangs identify compromised machines. "If you've got a cryptojacker on a corporate network,” explains Almendros, “it stays there for a while and the company hasn't detected it, cybercriminals behind the illicit cryptomining could then upload a Trojan or some other kind of back door."
How to prevent cryptojacking
Detecting cryptomining malware on a device is challenging as the symptoms – such as a decrease in performance or overheating – can be easily overlooked. A sharp uptick in CPU usage without an apparent reason could be an indicator, security company Veronis notes in a blog post. “If there’s an increase in CPU usage when users are on a website with little or no media content, it’s a sign that cryptomining scripts may be running,” it says.
Aside from patching common vulnerabilities, the best defence against cryptojacking is employee awareness, says Almendros. “If something is changing and you didn't expect it to change, or if your computer is suddenly going slower or things need repairing more often for teams as a whole, making sure that employees are reporting things like that can make all the difference.”