Why Cryptomining Malware Is The New Cash Cow of Virus Authors

As electricity rates go up, and ASIC machines are increasing in price, people of questionable character that place bets in mining have only one solution left. This is to enable them to harness someone else CPU and GPU cycles and use the stolen cycles for cryptomining. The principle taking someone’s computing cycles for a collective effort is nothing new, as volunteer efforts like the Seti@home and Folding@home have been in operation for more than a decade. Though compared to the two examples that are completely voluntary and the result is for the good of humanity overall, crypto mining malware only has one motivation and that is to earn a profit for the cybercriminals.

The world is not ready for crypto mining malware, as it is a new platform for virus authors to earn income in a less hyped way. Remember that the bread and butter of virus authors used to be Ransomware. Those institutions and individuals that lack a credible backup strategy and need the encrypted data are targeted, they have no choice but to pay the ransom. Ransomware made a lot of money for cybercriminals, SamSam alone made $850,000 ransom income. However, the news about Ransomware is very loud, the end result people became educated on how to mitigate and prevent it.

Cryptomining malware earns a profit for the virus authors, without the disadvantage of the very loud Ransomware phenomenon. A crypto mining malware does not need to announce itself to the user, it is silently running in the background of the infected machine. The PC users have no direct way to realize that the computer they are using is quietly mining Bitcoin or its derivatives. Take a look at the Youtube case of crypto mining or the Tesla case, examples of big-time firms with highly technical computer literate employees, but were also victims of cryptomining.

Cryptojacking Long Term Damage

Devices of all sizes are covered by the cryptojacking malware. Even platforms with a low market share like the MacOS and Linux have existing cryptojacking virus available for them. The mobile space is also included, the Android platform is vulnerable as it allows installation of apps outside the Official Google Play Store. Users downloading sketchy apps external from Play Store are facing a risk of installing trojan horse apps that contain cryptojacking feature.

A cryptojacking virus will overextend the use of the system resources, making it overheat and use more power for a long term. A normally operating PC or mobile device always has an on-demand use of the CPU and GPU. This means when the need for more CPU/GPU power is not needed it automatically downclocks to save battery life and keep the device cool. A device that became part of the cryptomining botnet, the CPU/GPU will always be operating at their optimal clock speed. This situation lessens the life of the device, as heat generation will be constant. Consequently, for a desktop computer this will result in higher electricity cost while for mobile devices, it will result in shorter battery life.

As the botnets composed of cryptojacking virus will continue to grow, as such infection is very difficult to detect, the virus authors have another revenue stream on their hands. The GPU and CPU cycles that the cryptojacking malware stole, can also be sold to other cybercriminal organizations for use with DDOS (Denial of Service Attacks) against a certain target. As the crypto hash complexity grows as time passes, virus authors can switch their business model from mining bitcoins and its derivative to just sell CPU and GPU cycles to the highest bidder.

How to detect cryptojacking malware

The network administrators can use Simple Network Management Protocol tools in order to detect questionable access to unknown IP addresses or domain names. From that point, the malicious site and IP can be blocked from the router or through the Active Directory Group Policy. The problem to solve is the lack of user education that crypto jacking malware exists. Users are familiar with ransomware because it does not hide from the former, while cryptojacking malware’s primary behavior is to do everything to evade detection.

IT teams need to conduct user training since the only way to detect hidden activity is being alert with the system resources. A continued high usage of CPU resources without the user executing a heavy application is something that needs to be reported in order to find out the bottom line of it.