Crypto-malware is a type of malicious software, or malware, designed to carry out long-term cryptojacking cyberattacks.
Cryptomining, Cryptojacking and Other Crypto-malware Terms Explained
To understand what crypto-malware is and how it works, it is helpful to know what cryptocurrency is and how it is created.
Here we review a few related terms:
- Cryptojacking or criminal cryptomining
Cryptocurrency is a digital currency that can be traded online for goods and services based on blockchain technology. Unlike money, cryptocurrency is encrypted and decentralized, meaning it is unable to be modified and there is no central authority that manages it. While cryptocurrency can be used for legitimate purposes, it is also the currency of choice among cybercriminals given its inability to be traced. Bitcoin is the most well-known cryptocurrency, though Monero is also becoming increasingly popular among cybercriminals.
Cryptomining, or cryptocurrency mining, is the process of creating a unit of cryptocurrency wherein “miners” solve complex mathematical equations in order to validate data blocks and add transaction details to a blockchain. This activity, which is legal, is rewarded by payment via cryptocurrency.
Cryptojacking, sometimes called criminal cryptomining, is the unauthorized use of a person’s or organization’s computing resources to mine cryptocurrency.
Crypto-malware is a form of malware that enables a threat actor to carry out cryptojacking activity. While the process used by hackers is essentially the same as compared to that used by legitimate cryptominers, crypto-malware leverages another user’s devices and processing power to gain payment. In doing so, these attacks drain significant resources from the victim’s computer without any payoff for the device’s owner.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
Why are crypto-malware attacks on the rise?
As the value of cryptocurrency continues to rise and its use becomes more ubiquitous, crypto-malware attacks are becoming increasingly popular amongst cybercriminals. In most cases, crypto-malware can run independently and indefinitely once they are executed on the victim’s device. In this way, attackers can assume a steady return on crypto-malware so long as the code remains undetected.
With new variants of crypto-malware being created and new cryptocurrencies continuously in circulation, we are likely to see a further increase in crypto-malware attacks in the near future.
How does crypto-malware work?
Unlike most malware, crypto-malware does not aim to steal data. Rather, it leverages the victim’s device to continuously and inconspicuously mine for cryptocurrency for as long as possible.
A silent threat, crypto-malware is often disguised as legitimate software that, once downloaded, embeds malicious code into various applications and programs. This code will run in the background and mine for currency any time the victim uses their device.
An advanced method of infection is via a compromised ad or website. When the user visits the infected site, the script runs automatically on the victim’s device. This form of attack is even more difficult to detect since the malicious code is not stored on the computer itself, but in the browser.
Crypto-malware Attacks vs Ransomware Attacks
Crypto-malware attacks and ransomware attacks are both designed to generate income for the attacker. However, the method for doing so varies significantly.
A ransomware attack encrypts a victim’s data until a payment is made to the attacker. If the payment is not made, the ransomware attackers may then sell the information on the dark web as an alternate form of income.
Ransomware remains one of the most profitable tactics for cybercriminals, with the global cost of ransomware in 2020 estimated at $20 billion and the average ransom payment totaling $84,000.
Crypto-malware, on the other hand, operates silently and surreptitiously in the background of the user’s system. Unlike a ransomware attack that demands payment directly, the crypto-malware attacker hopes that the malicious code remains undetected as long as possible so that they can continue to mine cryptocurrency using the victim’s device.
What is the impact of a crypto-malware attack?
Since crypto-malware does not explicitly steal data, it may not be regarded as a significant cyber threat on par with a costly ransomware attack, widescale data breach or disruptive virus or Trojan. However, its ongoing use of the victim’s computing power to mine cryptocurrency is draining and significantly impacts the productivity of the user. In most cases, the victim will suffer from significantly slower system processing speeds and may not be able to perform multiple tasks simultaneously.
How to Defend Against Crypto-malware Attacks
Crypto-malware attacks are a relatively new phenomenon. This, coupled with the fact that they are difficult to detect, make them extremely difficult to defend against. In most cases, the best line of protection is through responsible online behaviour on the part of the user. This includes:
- Never clicking unsolicited links or downloading unexpected attachments.
- Only accessing URLs that begin with HTTPS.
- Using a spam filter to prevent a majority of infected emails from reaching your inbox.
- Investing in cybersecurity software, which will detect many threats and even stop them from infecting your device.
- Enabling two-way authentication whenever possible, which makes it far more difficult for attackers to exploit.
Organizations must take additional steps to protect their business assets, customers, employees and reputation from all types of malware and ransomware variants. Steps include:
- Ensure that remote services, VPNs and multifactor authentication (MFA) solutions are fully patched and properly configured and integrated.
- Use machine learning in conjunction with anomaly detection algorithms to detect patterns associated with attacks, including decreased processing speeds in order to improve the security posture.
- Search for indications of malicious activity involving DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) failures.
- Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.
- Create a robust training program for employees that educates them about the risks and indicators of spoofing attacks and other exploit techniques. Leverage attack simulators, when possible, to create a real-world training environment.