Cryptojacking is the unauthorised use of victims’ devices or servers to mine cryptocurrency for illicit profits. Attackers who engage in this form of malicious cryptomining aim to remain hidden in their victims’ computer systems or network for as long as possible to maximise the profits gained from cryptomining.
Although the methods by which a cryptojacking attack is carried out may vary, most attacks follow a relatively standard methodology.
The cryptojacking activity may persist undetected, potentially for a long time. To avoid detection, the cryptojacking malware may use anti-analysis techniques, throttle CPU or GPU usage based on user activity, or hide among legitimate background processes. Such cryptojacking scripts often form part of a larger botnet, combining the computational power of many infected devices to maximise financial gains.
Cryptojacking has evolved to become more sophisticated, manifesting in various forms. Understanding the different types of cryptojacking is crucial in recognising and mitigating its impacts.
In browser-based cryptojacking, attackers run JavaScript code directly within the victims’ web browser when they visit an infected website or click on a malicious advertisement. The malicious script then runs in the background, utilising the browser’s resources to mine cryptocurrency for as long as they remain on the page. Since this form of cryptojacking does not require installation of software, it is less damaging on the victims’ device but also harder to detect.
This type of cryptojacking occurs when a user unknowingly downloads and installs cryptojacking malware onto their device. The cryptomalware runs in the background, using the processing power of the victims’ devices to mine cryptocurrency. The system-based form of cryptojacking is more harmful as it gives attackers greater control over the victim's computer, enabling them to steal sensitive information.
Hybrid cryptojacking attacks take browser-based attacks a step further. Not only does the malicious script run on the victims’ browser, but it also exploits vulnerabilities in the browser or plugins to drop a payload on the victims’ system. This payload is usually a more persistent form of cryptomining malware that installs itself on the system, allowing it to run continuously even after the browser is closed. Hybrid attacks enable attackers to continue their operations long-term and improve cryptojacking efficiency and profitability.
With more organisations shifting their operations to the cloud, cryptojacking attacks that target cloud servers have become more prevalent. Attackers exploit vulnerabilities or use stolen credentials to gain access to cloud infrastructure, then use the compromised resources for cryptomining. Given the vast resources available in cloud infrastructures, attackers can gain significant computational power for their mining operations, making this type of cryptojacking particularly lucrative.
Cryptojacking can be stealthy, but there are several indicators that your system or network may be compromised:
Cryptojacking attacks may often be perceived as less harmful than other forms of cybercrime because it does not directly damage victims’ computers or steal data. However, the covert nature of these attacks means they can go undetected for extended periods of time, silently draining resources and potentially causing considerable damage.
Due to the considerable amounts of CPU and GPU resources that cryptojacking malware and scripts consume, slower system performance and more frequent system lags and crashes may significantly reduce productivity for victims and businesses.
Financial losses incurred from the increased energy consumption, repair and replacement of hardware, and remediation costs may place heavy financial burden on victimised businesses.
Network security may also be compromised as cryptojacking malware may create backdoors that allow attackers to deploy additional malware, potentially exfiltrating sensitive data and spreading to other systems across the network.
Over time, reputational damage to organisations may be severe if the cryptojacking operations negatively affect organisations’ service quality or cause service disruptions. Customer and investor trust may erode, potentially leading to the loss of business opportunities and partnerships.
Protecting your systems and networks from cryptojacking attacks requires a comprehensive approach that addresses both prevention and detection. Given the stealthy nature of these attacks, it is essential to implement robust security measures across all potential points of entry.
Many cryptojacking scripts rely on JavaScript to execute. Disabling JavaScript in browsers when it is not needed or using ad-blockers and script-blockers may prevent these malicious scripts from running on the browser, thus defending against browser-based cryptojacking attempts.
By empowering employees with cybersecurity awareness, organisations can turn them into a proactive defence system. Regular training sessions can equip them with the knowledge to identify signs of cryptojacking, and practice safe browsing habits such as avoiding untrusted websites and downloading software only from reputable sources.
Regular monitoring of cloud instances for unusual activity, such as spikes in CPU usage or unauthorised instance creation, may aid in early detection of cryptojacking activities. Organisations should also implement strict access controls and multi-factor authentication to secure cloud environments, ensuring that only authorised personnel have access to critical resources. Cloud-native security tools like Microsoft Defender should also be used to continuously analyse and improve security posture.
Regular updating and patching of computer systems is essential for maintaining a robust defence against cryptojacking attacks. Pay special attention to critical security updates and patches and prioritise their installation. This proactive approach helps to reduce the risk of exploitation and infection by cryptojacking malware.
Implementing EDR solutions to monitor endpoints for suspicious activities may enhance detection of potential cryptojacking attempts and reduce response times. EDR tools can detect abnormal behaviour associated with cryptojacking and provide alerts for quick response.
Addressing cryptojacking attacks on ever-growing attack surfaces may be complex and burdensome for organisations to maintain and operate, especially without a comprehensive support system. Ensign’s Managed Detection and Response service provides a holistic solution to mitigate cryptojacking threats, leveraging the expertise of specialists, technology partners and advanced capabilities to detect and respond to cryptojacking attempts fast and accurately.
Ensign's MDR offers:
Learn more about our Managed Detection and Response (MDR) services.