Cryptojacking explained: How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it.

1 2 Page 2
Page 2 of 2

Employee training won’t help with auto-executing cryptojacking from visiting legitimate websites. “Training is less effective for cryptojacking because you can’t tell users which websites not to go to,” says Vaystikh.

Install an ad-blocking or anti-cryptomining extension on web browsers. Since cryptojacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Some ad blockers like Ad Blocker Plus have some capability to detect cryptomining scripts. Laliberte recommends extensions like No Coin and MinerBlock, which are designed to detect and block cryptomining scripts.

Use endpoint protection that is capable of detecting known crypto miners. Many of the endpoint protection/antivirus software vendors have added crypto miner detection to their products. "Antivirus is one of the good things to have on endpoints to try to protect against cryptomining. If it’s known, there’s a good chance it will be detected," says Farral. Just be aware, he adds, that crypto minor authors are constantly changing their techniques to avoid detection at the endpoint.

Keep your web filtering tools up to date. If you identify a web page that is delivering cryptojacking scripts, make sure your users are blocked from accessing it again.

Maintain browser extensions. Some attackers are using malicious browser extensions or poisoning legitimate extensions to execute cryptomining scripts.

Use a mobile device management (MDM) solution to better control what’s on users’ devices. Bring-your-own-device (BYOD) policies present a challenge to preventing illicit cryptomining. “MDM can go a long way to keep BYOD safer,” says Laliberte. An MDM solution can help manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises, and smaller companies often can’t afford them. However, Laliberte notes that mobile devices are not as at risk as desktop computers and servers. Because they tend to have less processing power, they are not as lucrative for the hackers.

None of the above best practices are foolproof. In recognition of that, and the growing prevalence of cryptojacking, cyber risk solution provider Coalition now offers service fraud insurance coverage. According to a press release, it will reimburse organizations for and direct financial losses due to fraudulent use of business services, including cryptomining.  

How to detect cryptojacking

Like ransomware, cryptojacking can affect your organization despite your best efforts to stop it. Detecting it can be difficult, especially if only a few systems are compromised. Don’t count on your existing endpoint protection tools to stop cryptojacking. “Cryptomining code can hide from signature-based detection tools,” says Laliberte. “Desktop antivirus tools won’t see them.” Here’s what will work:

Train your help desk to look for signs of cryptomining. Sometimes the first indication is a spike in help desk complaints about slow computer performance, says SecBI’s Vaystikh. That should raise a red flag to investigate further.

Other signals help desk should look for might be overheating systems, which could cause CPU or cooling fan failures, says Laliberte. “Heat [from excessive CPU usage] causes damage and can reduce the lifecycle of devices,” he says. This is especially true of thin mobile devices like tablets and smartphones.

Deploy a network monitoring solution. Vaystikh believes cryptojacking is easier to detect in a corporate network than it is at home because most consumer end-point solutions do not detect it. Cryptojacking is easy to detect via network monitoring solutions, and most corporate organizations have network monitoring tools.

However, few organizations with network motoring tools and data have the tools and capabilities to analyze that information for accurate detection. SecBI, for example, develops an artificial intelligence solution to analyze network data and detect cryptojacking and other specific threats.

Laliberte agrees that network monitoring is your best bet to detect cryptomining activity. “Network perimeter monitoring that reviews all web traffic has a better chance of detecting cryptominers,” he says. Many monitoring solutions drill down that activity to individual users so you can identify which devices are affected.

"If you have good egress filtering on a server where you’re watching for outbound connection initiation, that can be good detection for [cryptomining malware]," says Farral. He warns, though, that cryptominer authors are capable of writing their malware to avoid that detection method.

Monitor your own websites for crypto-mining code. Farral warns that crypto jackers are finding ways to place bits of Javascript code on web servers. "The server itself isn't the target, but anyone visiting the website itself [risks infection]," he says. He recommends regularly monitoring for file changes on the web server or changes to the pages themselves.

Stay abreast of cryptojacking trends. Delivery methods and the cryptomining code itself are constantly evolving. Understanding the software and behaviors can help you detect cryptojacking, says Farral. "A savvy organization is going to stay abreast of what’s happening. If you understand the delivery mechanisms for these types of things, you know this particular exploit kit is delivering crypto stuff. Protections against the exploit kit will be protections against being infected by the cryptomining malware," he says. 

For example, Akamai reported in December 2020 that a known cryptomining botnet had changed tactics to avoid being taken down. The botnet operators had added a bitcoin wallet address to the malware as well as a URL for a wallet-checking API and a cryptic series of nested bash one-liners. The Akamai researchers concluded that the code used the wallet data being fetched from the API to calculate an IP address, which it then used for persistence and to infect more systems.

"This is a very clever and strategic technique. It enables the operators to stash obfuscated configuration data on the blockchain. By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned," said the researchers in their report

How to respond to a cryptojacking attack

Kill and block website-delivered scripts. For in-browser JavaScript attacks, the solution is simple once cryptomining is detected: Kill the browser tab running the script. IT should note the website URL that’s the source of the script and update the company’s web filters to block it. Consider deploying anti-cryptomining tools to help prevent future attacks.

Update and purge browser extensions. “If an extension infected the browser, closing the tab won’t help,” says Laliberte. “Update all the extensions and remove those not needed or that are infected.”

Learn and adapt. Use the experience to better understand how the attacker was able to compromise your systems. Update your user, helpdesk and IT training so they are better able to identify cryptojacking attempts and respond accordingly.

Editor's note: This article, orginally published in February 2018, has been updated to include new research from Akamai and information on the Prometei botnet.

Copyright © 2021 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline