How to detect, mitigate and stop cryptomining malware

When the phrase “cryptocurrency” comes up in conversation, you’re likely to think of the famous (or infamous) Bitcoin craze, or of blockchain, the innovative technology behind it. But there’s a lesser-known trend in cryptocurrency that’s currently affecting businesses and their employees: Cryptojacking.

A growing number of cybercriminals have turned from ransomware to unauthorised computer access in order to mine cryptocurrencies. The losses for an individual victim or company, due to increased power bills and reduced productivity, can be quite disruptive – but the key issue lies in the fact that these attacks are not always easy to detect, and so may continue for quite some time.

That’s why the team at ESET has created a guide to help users understand what cryptomining is, and how best to identify, prevent, and remove cryptomining software before it wrecks too much damage.

What is cryptojacking?

Cryptojacking is the unauthorised use of someone else’s devices, networks, or websites to mine cryptocurrency. Fortunately, cryptojacking doesn’t steal or damage the victim’s data – but it does leech CPU processing power and can reduce the lifecycle of your devices, particularly battery-powered ones.

Businesses with cryptojacked systems can incur high costs in terms of time and resources spent responding to performance issues, as well as replacing affected components or systems.

How do hackers do it?

Cryptojackers gain unauthorised access to devices in many ways. Unlike with traditional malware, simply luring victims into clicking on a malicious email, or by infecting online advertising can be enough. This approach need not even breach a user’s web browser, as the cryptomining code runs as part of the “legitimate” JavaScript loaded with other page elements.

However, device cryptojacking can also follow the same paths as traditional malware compromises. Others use torrenting websites to trick users into downloading web browser miners. There have even been incidents of apps offered “legitimately” from the Google Play store containing illicit cryptomining code, and illicit cryptominers are often seen among the payloads of multi-stage malware downloaders. After gaining access to a new machine, such miners install themselves in the background and begin to work.

How to check if you have been affected by cryptojacking:

• Your computer has been overheating or the fan has been running a lot
• Your phone or tablet runs hotter than usual and/or battery has been dying quickly
• Your device has been using a lot of CPU

Training your cybersecurity team or help desk to keep an eye out for any of these signs will help mitigate a cryptojacking incident – often the first indication of a widespread cryptojacking incident is a sudden increase in employee complaints about slow computer performance.

How to prevent and detect cryptojacking:

• Ad-blocking or anti-cryptomining extensions: Because in-browser cryptojacking scripts are a common attack vector, installing an ad blocker into your browser can be an efficient way to stop them.
• Mobile device management (MDM) solutions: While mobile devices aren’t targeted as often as desktop computers and servers, bring-your-own-device (BYOD) practices in the workplace do pose some level of risk when it comes to cryptojacking. An MDM solution like ESET Android Protection can help secure and protect what’s on a users’ device by managing apps and extensions.
• Script-blocking browser extensions: Prevent hackers from using malicious browser extensions or infecting legitimate ones with a script-blocking browser extension. Services like NoScript for Mozilla Firefox, ScriptBlock, or ScriptSafe for Google Chrome will help to block browser miners from running.
• Web filtering tools: If a web page has been found to be running cryptojacking scripts, make sure the page is promptly blocked from being accessed again, as many ESET products ensure.
• Antivirus software: You should always use an antivirus on mobile and desktop. To stop most cryptojacking and some browser-based miners, ensure you are regularly scanning your phone and desktop for malware, clearing cache and cookies – and don’t download anything from unauthorised or unfamiliar sources.

How to mitigate a cryptojacking incident:

• Block bad scripts: If you’ve experienced an in-browser JavaScript attack, kill the browser window or tab running the script, identify the website URL, and update your company’s web filter to block it. To prevent future attacks, consider deploying an anti-cryptomining solution.
• Update your browser extensions: If it was a web extension that infected your browser with malware, simply closing the window or tab won’t help – you’ll need to uninstall or update the affected extensions in order to remove any that are compromised with cryptojacking code.

Adapting to new risks

It’s important your business stays informed, alert, and protected against the threat of cryptojacking. Learn from your own experiences, the experiences of other companies, and from cybersecurity experts in order to better understand how cryptojacking works.

Update your employee and IT training to ensure cryptojacking attempts can be identified and responded to appropriately, and adopt a suitable antivirus solution for an additional line of defence.

For reliable, sophisticated protection, consider employing a solution such as ESET Smart Security Premium to help guard your company’s online safety against an array of cybersecurity threats.