Move Over, Ransomware: Cryptojacking is the New Kid in Town

Ransomware has been the “go-to” play for attackers, taking advantage of the relative anonymity of cryptocurrency payouts and hitting a record-breaking $2 billion in 2017. While ransomware can result in lucrative payouts, it also requires vast research, social engineering and technical acumen, and comes with some risk for criminals. As a result, this year ransomware has taken a back seat to cryptomining and cryptojacking as the attacks of choice. The first half of 2018 saw a 956 percent increase in cryptojacking attacks compared to the first half of 2017, according to a recent report by Trend Micro.

One particularly popular way to cryptomine is to poison a website’s code with a JavaScript miner library such as Coinhive and then hijack the visitor’s browser to mine through it. This is known as cryptojacking. Although the terms have been used interchangeably by many, the easiest way to differentiate the two is that cryptomining mines directly on a machine’s CPU, while cryptojacking “steals” your website visitor’s browser window for mining.

The Rise of Cryptojacking

So, why has cryptojacking grown in popularity so quickly?

Simply put, it’s safer, less noticeable and easier to pull off repeatedly compared to most other types of exploits. Cryptojacking can be executed on any connected computer, phone or other device that is capable of simple math operations. Not to mention, the risks and consequences are minimal—at least for now.

While cryptojacking is not a victimless crime, it comes close. It does not steal victims’ data, spy on them or stay persistent on their computers. It is a relatively lightweight attack that uses the spare capacity of victims’ CPUs and power. As long as a victim is not paying extra for these things as a result of cryptojacking, there is no harm done to them. Consequently, there is very little motivation to pursue the bad actor or even terminate a cryptojacking exploit once it is detected.

For now, cryptojacking can be accomplished essentially without risk of consequences and it is a fairly easy—albeit slow—way to monetize. But, it may not stay this way forever. It is safe to assume that cryptojacking’s popularity will rise and fall, correlating with new trends, attack methods and cryptocurrency prices—Monero and Electroneum, which are both very volatile.

This brings us to the burning question: Who is most at risk and how do you know if you are a victim of cryptojacking?

In short, nobody is immune to cryptojacking or cryptomining. Anyone with an internet connection and a CPU is a target and has reason to worry. This includes Linux, Mac and PC users alike, as well as corporate server environments. And unless their computer slows to the point where their work or entertainment is disrupted, most people will have no idea that they are being cryptomined or, in the case of compromised browser performance, cryptojacked. As a result, it can be difficult to secure at-risk and compromised machines.

But, just as people check and change their oil, it makes sense to do frequent cryptomining CPU checks. Like our cars, our computers will operate a little slower over time unless we conduct routine maintenance.

Here’s what you should be keeping an eye on:

  • Bandwidth load: Install an application that monitors your bandwidth usage to keep an eye on how much data your computers and other devices are processing.
  • CPU load: Set up a performance monitor and see how your CPU is operating compared to how it should be.
  • Disk space and memory use: Keep an eye out for unusual activity.
  • Temperature: Monitor the temperature and noise of your device—if it is often overheating, there is a good chance it is cryptomining.
  • Domain destinations: Pay attention to the domain destinations that your network is communicating with and compare these to the readily available blocklists of cryptomining domains, such as Coinhive.com, and blacklist them.
  • Anti-malware: Ensure that you are running up-to-date anti-malware software.

It is nearly impossible to entirely avoid visiting cryptojacking websites, as any website can be hijacked and injected with a mining library. But, in the case of protecting endpoints, the good news is that so far there are few such libraries and most can be blocked with the help of a browser extension. Resources such as NoCoin, minerBlock and ad blockers can prevent known mining libraries from executing on your endpoint.

That said, blacklisting approaches are unlikely to hold back the tide for the long term. A more effective and aggressive approach is to use a NoScript extension to block all JavaScript. Unfortunately, that is also likely to disrupt operations of some legitimate websites.

Protecting websites against the injection of miner libraries is up to the website owners. They need to tightly lock down access credentials to their websites, continuously monitor their websites for script injections and use the Content-Security-Policy HTTP header to block non-approved scripts from running on their sites.

While exploit trends and cryptocurrency prices will continue to fluctuate, a bad actor’s intent to compromise and monetize will always trend upwards. But, take heart—the cybersecurity industry continues to fight on.

Nick Bilogorskiy

Avatar photo

Nick Bilogorskiy

Nick Bilogorskiy drives cybersecurity strategy at Juniper Networks. As a Founding Member at Cyphort, which was acquired by Juniper Networks, Bilogorskiy created and led the Cyphort Labs Threat Research team and played a critical role designing Cyphort’s malware detection logic and product user experience. Prior to Cyphort, Bilogorskiy was Chief Malware Expert at Facebook and also held security research leadership positions at Fortinet and Sonicwall. Bilogorskiy is fluent in reverse engineering, analysis, pattern writing and malware tracking. He holds a bachelor of science degree in computer science and philosophy from Simon Fraser University, a GIAC Reverse Engineering Malware (GREM) certification and multiple patents in computer security.

nick-bilogorskiy has 1 posts and counting.See all posts by nick-bilogorskiy