Cryptojacking: The Petty Cyber Crime Hiding a Deadly Threat

One of the fastest-growing malware threats of the past 18 months affects half of the businesses in the world, and most of them don’t know it. It’s called cryptojacking, an unintended consequence of the booming popularity of cryptocurrencies like Bitcoin. Most victims don’t notice that they’ve been hit by cryptojacking because its adverse effects are relatively inconsequential: it just steals CPU cycles from your computer, as well as the electricity required to power it.

Getting hit by ransomware -- a similarly-pervasive and fast-growing but much more destructive malware threat -- is like a roundhouse punch to the face: your files get locked up with encryption until you pay some distant criminal hundreds or thousands of dollars for the key. Compared to ransomware, cryptojacking seems more like a mosquito bite: an annoyance, not a grave threat.

But the harsh reality is that like disease-carrying insects, some cryptojackers bring lethal friends along with them.

Without delving into the technical intricacies of any cryptocurrency, what you need to understand on a basic level is an essential component process called cryptomining. Cryptomining provides the means to verify digital transactions without the intervention of a centralized authority like a bank, one of the most valuable benefits of blockchain technology.

Cryptomining involves many volunteers on the Internet who have agreed to try to solve a mathematical puzzle in return for a reward. Each participant works from the same collection of transactions, taking a cryptographic hash of them and then making as many as 100 million guesses in an attempt to discover a related hash value that meets certain mathematical criteria. The first person to unwind this abstruse problem has executed a critical piece of the blockchain process, providing incontrovertible validation of the block of transactions, which are then immutably added to the distributed ledger.

In financial applications of blockchain, this solves the so-called double-payment issue, preventing a unit of the cryptocurrency from being copied and fraudulently used in another transaction. The solver gets paid a bounty in cryptocurrency, and everybody races to find a solution for the next transaction block.

The challenge is that solving these puzzles demands a staggering amount of computing horsepower and electricity: your typical consumer-grade PC might take a century to produce the verification hash for just one block. Nowadays, the profitable business of block-solving for cryptocurrencies is mostly conducted by specialized businesses using large pools of computers equipped with costly custom ASIC microprocessors and cooling systems that are highly optimized for this particular task. It’s not a game for amateurs.

But certain less-popular cryptocurrencies, notably Monero, use mining algorithms that aren’t well-suited to the ASIC-based approach that dominates Bitcoin mining. Some crafty developers figured out a way to mine Monero by creating an application called Coinhive that divides the block-solution problem into many pieces and distributes it to thousands of ordinary consumer-grade PCs. These either run as an application on Windows or Linux, or as a piece of JavaScript code running in users’ browsers. Instead of solving the puzzle with expensive, highly specialized hardware that generates a lot of heat, you borrow a few CPU cycles here and a few there from a legion of cheap PCs.

Some of the usage of Coinhive and its ilk to mine Monero is legitimate, above-board. For example, the online magazine Salon.com makes most of its money displaying ads in its readers’ browsers. But when it detects that a reader is using an ad blocker, it offers an alternative price for access to its content: instead of viewing ads, readers must agree to install Coinhive in their browsers to help mine a little Monero, letting Salon keep any earnings produced.

Meanwhile, bad guys don’t want to ask your permission. Instead they simply find ways to get Coinhive or similar mining programs to run on your computer surreptitiously, either as an app or a browser script. They use your CPU cycles and electricity, without sharing their profits with you.

They gain access to your system by using proven infiltration techniques like duping you into opening an infected link or attachment in a phishing email, or infecting web servers you visit to download that mining JavaScript to run in your browser.

If you haven’t given your consent to this, the cryptominer qualifies as malware: you are the victim of cryptojacking. You’ve been deviously dragged into donating valuable resources to faceless high-tech gangsters.

There’s a good chance that you too have been cryptojacked and don’t know it. The latest cryptojacking models only steal about 20 percent of your PC’s processing power at any given time, or they wait till you’re not busy on the PC to execute the most labor-intensive calculations. They strive to be unobtrusive: if you don’t notice the slowdown, you’ll never call tech support or take your own steps to diagnose a sudden plunge in performance.

The infection persists as a minor aggravation that you will mistakenly attribute to your latest OS update, browser bloat, or aging hardware.

Maybe you can suffer the misdemeanor of having your pocket picked of spare change: there are far nastier security risks in life to worry about. But cryptojacking is not as petty a crime as it first appears: there’s a serious problem hiding. Specifically, cryptojacking malware now commonly sneaks in some very unpleasant companions.

The worst is the notorious ransomware, the cyber-theft tool that has cost businesses and consumers billions of dollars over the past five years, and is projected to expand to $11.5 billion by the end of next year.

That drive-by download from a compromised website, or malicious email attachment masquerading as a vendor invoice, is now likely to contain both cryptojacking and ransomware trojans, with some extra code to detect your extant countermeasures and activate the one for which you have weaker defenses.

The good news is that your best defenses against cryptojacking are largely identical to those you should be implementing to fight ransomware:

• Educate users to be wary of the most common malware attack vectors
• Disable the default execution of JavaScript in your browsers
• Install endpoint anti-virus software to handle the least sophisticated and best-known threats, and keep its signature files up-to-date
• Deploy artificial-intelligence-driven cyber defenses like Acronis Active Protection, which instantly detects and terminates both ransomware and cryptojacking attacks -- even the kind of previously-undiscovered zero-day attacks against which signature-based defenses are useless -- before they can take root in your system.

It’s time to confront the fact that there’s no such thing as mostly harmless, merely annoying cryptojacking malware anymore. You need to recognize that this seemingly minor threat may conceal much greater harm. That pesky mosquito bite might also give your computer, and potentially every other system connected to it over your local network, the tech equivalent of a fatal case of malaria.