Goodbye Ransomware, Hello Cryptojacking!

If you had trouble last fall checking your elected officials’ claims on Politifact or streaming Homeland on Showtime Anytime, blame the cryptocurrency bubble. Hackers are suddenly breaking into companies’ systems and websites to steal their computing power and “mine” virtual currencies – slowing down all those computers’ day jobs.

The practice of “cryptojacking,” as some have dubbed it, spreads malware into systems and turns their computing power to solving the complex math required for cryptocurrency mining. This may seem like a relatively benign form of cyber-attack, but it slows your computers down and uses their energy at huge rates: One Bitcoin transaction uses as much energy as processing 100,000 Visa transactions, according to the Bitcoin Energy Consumption Index.

Cryptojacking on Pace to Overtake Ransomware

Botnets have been mining cryptocurrency for some time—one strain of the infamous WannaCry ransomware attack included cryptojacking. But as the bubble in cryptocurrency prices expands, cryptojacking is overtaking ransomware as bad actors’ favorite. In some cases, corporate servers are compromised (Tesla’s); in others, websites are targeted, from the Los Angeles Times to the San Diego Zoo and the Mexican state of Chihuahua. Politifact and Showtime were affected last fall.

Until about a year ago, the concept of cryptojacking didn’t exist. Today, the news is full of stories about cryptojackers using more sophisticated methods to infiltrate devices, exploiting security breaches that already exist in user systems,” said Tyler Cohen Wood, Executive Director Cyber Workforce Training at CyberVista, a cybersecurity training and workforce development company. 

She adds, Cryptojacking is becoming more popular than ransomware because any device connected to the internet can be hijacked and most victims are unaware that their computers have been compromised because there is no ransom demanded.” Some researchers estimate that cryptojacking attacks increased by as much as seven times in the last year. One researcher found almost 35,000 infected sites during a search in February, almost 5,000 more than he picked up in a similar sweep last November.

“Our reliance on connected devices and IoT ensure that cyber threats like cryptojacking will not only increase but thrive,” notes Cohen Wood.

Dollars and Damage: Cryptojacking is NOT Benign

Cybersecurity expert Ian Eyberg, CEO of cloud infrastructure platform NanoVMs, notes that once cryptojackers get inside an organization’s public cloud or private system, “They can be really damaging.”

Cryptojacking hogs computer power and slows down systems; that’s an important way it can be discovered. Some cases are downright dangerous; one called HiddenMiner infected Android phones, turning them to perform operations at such a rate that they overheated and risked catching fire.

Some cryptojacking exploits can cause systems to fail. In one case, U.K. government computers were infected with a mining virus via an app that reads websites aloud to the blind. Nearly 5,000 websites were affected, forcing many to shut down for repairs, including the website of the app’s parent company. “It’s not the same thing as somebody trying to extort you, but it is annoying and it costs you money,” said Eyberg.

How Cryptojacking Works

To understand cryptojacking, one must first understand how blockchain works. The blockchain is a ledger where unrelated users can perform complicated equations to verify each encrypted block in a transaction. Individuals are paid with cryptocurrency to perform the math, but have to perform many calculations to earn a reward. 

Enter the unwitting host—a powerful corporate system the miner hacks into and uses as a source of 24/7 computing power. With the help of some malware, the system becomes a zombie army of crypto miners processing transactions and collecting cryptocurrency for their efforts.

Not all blockchains use token incentives. But enough do, and cryptocurrency has increased enough in value to make it profitable to those miners who can commandeer enough computing power. Observers fear another price runup will raise the incentive for more cryptojacking activity.

“Attackers absolutely consider their return on investment from their attacks,” said Ryan Olson, VP, Threat intelligence (Unit 42) at Palo Alto Networks. He recently wrote a threat brief online that explained cryptojacking’s popularity as a factor of both the high price of cryptocurrency and the low risk of prosecution.

“If the price of a particular coin (like Monero) were to fall past the point of profitability, I would expect attackers would shift their focus back to ransomware or other attacks,” said Olson. Monero is a favorite of cryptojackers due to its privacy features, which claim to make it harder to trace. It also requires less power to mine than Bitcoin, the most popular cryptocurrency, so hackers mining Monero are less likely to be discovered.

The ‘Stealth’ Exploit

Cryptojacking is stealthy and has multiple entry points, which makes it hard to spot and hard to prevent. Often, increased electricity use at off-peak hours or off-scale cloud computing bills are the tell-tale signs of cryptojacking, but are not often spotted until after the fact.

Indeed, Olson says that is often how cryptojacking exploits are discovered, in the end. Criminals gain access to an organization’s cloud account credentials and use them to create large numbers of virtual machines dedicated to mining coins. Since the organization contracts cloud resources on a pay-as-you-go basis, a sudden spike in bills reveals the zombie bots. Adds Eyeberg: “I could write a program that spins 200 servers at night and nobody notices, but the bill comes a month later and it’s $200,000. Then it’s, ‘Oh my God.’”

Cryptojacking can be prosecuted, of course, but the stealth factor makes it particularly difficult to track offenders – they don’t communicate with victims as ransonware actors do. The first successful prosecution for cryptojacking was reported earlier this year in Japan, where a cryptojacker was sentenced to a year in jail for hacking into a corporate system; his take was 5,000 yen, or about $45.

General Cybersecurity Hygiene is the Best Defense

“The same defenses that apply for other malware attacks generally apply to cryptojacking attacks,” said Olson. “Patching systems, being suspicious of possible phishing e-mails, using anti-malware technology are all important.”

While there are a number of tools available to block mining from computers—many ad-blocker apps are adding the feature and there are new apps that block coin miners—the best protection is the human factor, said experts. According to NTT Security, “It’s important to remember that threat actors are humans too, so it comes as no surprise that these threat actors are leveraging their skills to cash in on the cryptocurrency mining craze”.

It’s critical that businesses have a robust cybersecurity program that includes education and policy on cryptojacking so that employees know what it is and are aware of the problem,” said Cohen Wood.  “Restricting browser activity and putting strict parameters on BYOD will certainly help, but educating your workforce on the issue will go a long way toward making sure cryptojacking doesn’t happen to you.” Comprehensive business continuity and disaster recovery plans that include cryptojacking protocols are very important steps that all businesses can deploy, she added.

Constant Vigilance!

Fighting cryptojacking is a constant process. Many experts noted that the vulnerability exploited in a malware attack affecting website publisher Drupal last year still had not been patched in many systems. A patch to protect systems from Drupalgeddon2 was released in March, but as of June more than 115,000 sites were still found open to attack.

Vigilance may be the most effective protection. Experts recommend monitoring your internal help desk; if it suddenly receives a large number of complaints that internal systems are slow, or web pages aren’t loading, that’s a sign, said Eyberg.