As cryptocurrency grows in value and popularity, cybercriminals have noticed the opportunity to profit through illicit means such as crypto malware and ransomware attacks targeting vulnerable organizations.
While once primarily an issue for individual users, crypto mining malware has increasingly shifted its focus towards infiltrating large enterprise networks with more processing power and higher ransom payouts.
When cryptojacking malware or ransomware takes advantage of weaknesses in an enterprise’s systems, the impacts can be devastating – halting operations, exposing sensitive data, and costing millions in lost productivity and revenue.
This blog outlines the evolving tactics employed by cybercriminals and how businesses can best protect their complex IT infrastructure against emerging crypto threats.
What is Crypto Malware?
Crypto malware, also called crypto jacking, is a malicious software designed to secretly use an infected machine’s resources to generate cryptocurrency without the owner’s consent. It works by installing cryptomining software that runs secretly in the background to mine for digital currencies like Bitcoin, Ethereum or Monero.
High profile threat groups also deploy ransomware along with the crypto mining malware to double their gains.
In these crypto malware ransomware attacks, the crypto mining malware hijacks the target’s CPU or GPU processing power to rapidly solve algorithms and receive blocks of coins in return. Meanwhile, ransomware encrypts the user’s personal files and demands payment, usually in bitcoin or another cryptocurrency.
Failing to pay can result in the files being lost permanently.
Emerging Trends in Crypto Malware Attacks
Several trends have emerged in recent crypto malware attacks. Large-scale crypto mining malware campaigns have infected millions of computers worldwide through mechanisms like hacked websites and supply chain attacks. These mass cryptojacking operations harness immense computing power for prolonged coin mining.
Additionally, ransomware attacks have grown in sophistication. Besides regular users, corporations and government agencies are now frequently targeted in highly damaging ransomware attacks demanding over $1 million in some cases. The level of potential ransom has increased substantially.
Crypto thieves have also developed new techniques like directly stealing cryptocurrency from online exchanges and individual wallets. Through supply chain attacks, wherein malware is inserted into legitimate code during the development process, and social engineering schemes, cyber criminals have successfully pilfered millions from cryptocurrency services and holders.
Here are some key stats on crypto jacking:
Kaspersky Report (Q1–Q3 2022):
- In the first three quarters of 2022, cybercriminals intensified their cryptojacking efforts due to the vulnerability of the crypto industry.
- Cryptocurrency prices were dropping during this period, but threat actors continued to exploit the situation.
- Cybercriminals targeted not only crypto investors but anyone susceptible to their attacks.
- The falling cost of mining equipment and less efficient market players leaving the game contributed to the rise in cryptojacking.
Source: Kaspersky Report on crypto jacking
Cryptojacking in Cloud Environments (2018):
- Up to 25% of organizations experienced cryptojacking activity within their cloud environments in 2018.
Cryptojacking Attacks (2018–2019):
- Despite emerging in late 2017, cryptojacking quickly gained prominence.
- In 2018, it accounted for 35% of all web-based attacks.
- McAfee reported a 29% increase in cryptojacking attacks during the first quarter of 2019.
Cisco’s Findings (2020):
- In 2020, nearly 70% of Cisco’s customers fell victim to cryptomining software.
How to Identify Crypto Mining Malware in Enterprise Networks
There are several signs that can indicate an enterprise network has been targeted by crypto mining malware.
Heavily taxed systems running at full capacity: One of the most noticeable indicators is overheating computers or abnormally loud fan noise, especially during times when the device is left idle or unused. Overheating servers or high-load workstations may suggest crypto-mining malware is using processing power without permission. This is because crypto mining malware works by using significant portions of the target’s CPU or GPU processing power to rapidly solve algorithmic problems and earn cryptocurrency rewards. As a result, these mining scripts can max out hardware usage and cause equipment to overheat.
Browser Jacking Attempts: Additionally, users may experience unexpected browser hijacking attempts where the browser window gets redirected without permission in order to generate advertising revenue for crypto mining operations.
Spike in Bandwidth Usage: Sudden changes in network bandwidth utilization or unusual traffic from unexpected internal IP addresses could also signal a cryptojacking attack diverting business resources.
Unauthorized RDP Connections: Unauthorized remote desktop connections or domain admin credentials being accessed where they shouldn’t raise red flags as well.
Phishing Emails: Phishing emails targeting employees and deploying crypto mining scripts or ransomware payloads upon execution is a frequent initial infection method.
Unsolicited pop-ups: Similarly, unsolicited pop-up messages trying to persuade users into installing questionable “optimization” tools should raise red flags as they may secretly download crypto mining payloads.
How to Remove Crypto Mining Malware
If signs of crypto mining malware are detected, there are several steps administrators can take to remove the crypto malware from their devices.
Running a thorough scan with reputable antivirus software is the best first course of action. Many antivirus programs now include specific detection capabilities for known crypto mining threats.
The scan can identify infected files and quarantine or delete them. Beyond scans, system admins should closely inspect their installed programs list for anything out of the ordinary that could be related to mining activities.
Any suspiciously named or dated items should be uninstalled. In addition, ensuring all software and operating systems on the device are fully updated is important, as updates may contain fixes or protections against newly discovered threats.
System administrators should monitor devices for suspicious software installations or processes that may represent known crypto-mining or crypto mining software flagged as malware.
As a last resort, re-imaging the machine to completely wipe out even deeply embedded crypto mining codes may be necessary. Taking these measures should successfully eliminate cryptojacking malware in most cases. However, prevention is always a better option than cure.
Prevention and Mitigation Tips Against Crypto Malware Attacks
Here are recommendations for enterprises to prevent crypto malware threats:
Implement Strong Authentication: Adopt multifactor authentication for VPN access and privileged admin accounts to prevent exploitation of stolen credentials. Enforce rotating complex passwords to raise the bar for attackers.
Payload Prevention: Keep endpoint and network security software up-to-date to block known mining and ransomware malware payloads. Configure firewalls and gateway antivirus to check for cryptojacking or cryptolocking file behaviors.
Access Restrictions: Audit and tightly control RDP access, removing unused default credentials and restricting source IPs. Isolate admin tools and workstations from general network traffic. Limit privilege escalation pathways used by crypto malware like Ryuk and Conti.
Backups and Recovery: Regularly backup critical application data, source code repositories, databases and files offline to air-gapped storage. Keep immutable backups to avoid ransomware encryption propagation. Practice restore drills from backups in case of ransomware.
User Awareness Training: Educate employees on secure email and web habits, like caution with email attachments and links from unknown senders to avoid inadvertent crypto malware download.
Top 3 Crypto Mining Malware Stealing Your Processing Power
Cryptoloot: Cryptoloot is one of the most prolific crypto mining malware strains. Operated by an unknown cybercrime group, Cryptoloot works by installing the open-source XMRig Monero miner. It spreads using large hacking campaigns that deploy Cryptoloot onto hundreds of thousands of compromised servers, IoT devices, and Windows PCs at a time. The infected devices are then amalgamated into a massive mining botnet. Cryptoloot’s botnets have consistently ranked among the most powerful crypto mining collectives.
Smominru: The Smominru miner malware was used in prominent Linux-based botnets assembled by an unknown hacker group in 2018-2019. During its peak, Smominru hijacked over half a million devices worldwide in what was then the largest known Monero mining operation. Hackers utilized sophisticated exploitation techniques like SSH bruteforcing to silently deploy Smominru onto vulnerable Linux servers, routers and firewall appliances at scale. This amplified their mining power significantly.
Coinhive: While originally designed as a legitimate in-browser Monero miner for publishers, Coinhive’s JavaScript code was also weaponized in malvertising operations. It was famously used by the KovTer hacking team to secretly mine Monero after redirecting thousands of computers visiting compromised sites. This high-profile campaign demonstrated how easily in-browser miners could be repurposed for cryptojacking if injected onto popular destinations unseen. It helped spur the creation of several illicit Coinhive rip-offs with similar payloads and deployment techniques.
Conclusion
Cryptojacking malware poses a grave threat to both individual computer users and large organizations alike. As the value of cryptocurrencies continues to rise, we can expect cybercriminals to increasingly look to crypto malware as an appealing attack vector for illicit profit. Crypto miners are likely to become more sophisticated at hiding their activities and incorporating new evasion behaviors.
For enterprise businesses that rely on large networks of connected devices, the risks are especially pronounced, with high-profile crypto malware ransomware incidents continuing to disrupt operations and lose revenue.
Proactive steps like security audits, employee training programs, implementation of multi-factor authentication, backing up vital systems, and deploying robust malware detection tools are vital for companies looking to deter today’s savvy criminal actors.
Only by hardening security postures against the latest hacking techniques and staying up-to-date can businesses help minimize exposure to cryptojacking malware, ransomware, and other financially-motivated cyber threats. Constant vigilance is critical when so much is at stake.
