In Just One Month, Acronis’ New Cryptojacking Blocker Delivers Great Results

One month after the release of the Cyber Protection Update to Acronis True Image, we’ve already gotten some interesting findings and amazing results to share from our update to our Acronis Active Protection defensive technologies. One of the major features added as part of the Cyber Protection Update was the ability to detect and stop potential cryptomining malware in Windows systems, safeguarding the machine's resources, performance and potential hardware of Acronis True Image users.

Our detection of possible cryptojacking attacks works exactly the same way as our anti-ransomware solution: Acronis Active Protection detects a threat, notifies the user, and offers a choice to either block or whitelist the process.

While we did not expect to see a lot of detections during the initial rollout, the telemetry data collected so far – surprisingly – shows the opposite.

The first month resulted in tens of thousands of detections from all over the world. Among the well-known standard miners detected were xmr-stak-cpu.exe, Claymore CryptoNote CPU Miner, rhminer, and xmrig Monero miner. Along with those legitimate strains, several new malware samples and legitimate processes were detected as well.

Typically when anti-virus solutions detect cryptominers, it is hard to tell if the process was intentional mining or illicit because the AV solutions automatically respond to each incident. With Acronis Active Protection, the user has to act to each detection, so we can tell if an incident was an attack or an approved process. Armed with this telemetry data, we found that more than 60 percent of the mining detected in the first month was illicit – having been stopped by a user who did not whitelist it later.

Among detected threats, around 20 percent were actually unique malware strains that had never been seen before. The most interesting part, though, involved detections that initially look like false alarms. Just in one week, we got the following detections:

• notepad.exe – one unique hash, one incident
• attrib.exe – two unique hashes, four incidents
• svchost.exe – one unique hash, two incidents
• vbc.exe – one unique hash, three incidents
• chrome.exe – two unique hashes, two incidents
• Popcorn-Time.exe – two unique hashes, 12 incidents
• java.exe – one unique hash, one incident
• setup.exe – two unique hashes, 93 incidents

Acronis researchers spent some time investigating these cases, especially the “setup.exe” that had the most incidents. It turns out that these cases were due to Trojans already on the users’ machines. Relying on the “setup.exe” telemetry alone was difficult since “setup.exe” is a valid Microsoft executable, so we cross-checked these cases by comparing other telemetry entries from the same client (entries sent from same IP address). It turns out that these clients generate many other detections as well.

Our research found file protection entries as well as cryptomining protection entries on a number of different executables, and some of these executables are identified as malicious by lookup services like VirusTotal.

An example of a cryptominer injection in a Notepad.exe, detected by Acronis Active Protection

That examination clearly shows that a lot of today’s malicious miners are injected into legitimate signed processes, using them as a mining host to avoid detection. What is most alarming is that this approach is actually working – these miners are not being detected by a lot of anti-malware solutions out there.

We will continue to research the topic but for users out there we recommend to check their AV solution is able to detect such a threat. To be on a safe side, install Acronis True Image as an additional layer of protection. Not only will it take care of your data’s safety, but it will also help preserve your system resources and hardware in the long run.