<

Acronis Active Protection takes the fight to cryptojacking

Published on
2,669 Points
2,469 Views
2 Endorsements
Last Modified:
While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Cybercriminals started to deliver mining payloads that were often packaged with ransomware and other kinds of malware.

This year, big cryptomining botnets began infecting not only Windows and Linux machines but also websites and various IoT devices. Within a year, the number of cryptomining malware strains grew several thousand percent, making it a huge threat to computer systems everywhere.

While it might not seem dangerous at first, illicit cryptomining can actually create a lot of problems. Let’s examine why.

Who is under threat?

When it comes to cryptojacking, just about any internet-connected device with a CPU can be a target. As always, most attacks focus on Windows-based machines and servers because they are so prevalent and popular, although Linux servers are another favourite. Servers are particularly attractive targets as they usually run 24/7, making them ideal candidates for illicit cryptomining.

Does this mean cybercriminals won’t bother with mobile devices, tablets, printers, routers and smart TVs? Of course not. They’ll steal computing power wherever they can get it, but those devices are less effective and less profitable.

The effect of Cryptojacking

A malware infection that steals system resources might not sound like a big threat, but illicit cryptomining can create serious consequences for the affected systems, networks and businesses, including:

  • Degraded system and network performance;
  • Increased power consumption, system crashes, and potential physical damage from component failure;
  • Disruption of regular operations;
  • Financial loss from downtime caused by component failure and the cost of restoring systems;
  • Additional electricity costs from the increased power consumption;
  • Big reputational loss and potential lawsuits.


Real-world impact

Let’s look at how a cryptomining malware attack might affect a real-life business. The target is a mid-size company, and all 200 of their endpoints are infected. The continuous mining causes their electricity bills to skyrocket. Machines are slower than usual, but not too bad, so employees simply ignore the situation. The slower machines mean they are less productive, but there’s no red flag that requires a call to a system administrator. As a result, the infection goes unnoticed for a couple of months.

During that time, a backdoor is installed that begins stealing confidential information. After two to three months, the strain of the 24/7 overload causes a couple of servers and an accounting endpoint machine to go down – stopping operations.

After a few days of downtime and a costly investigation, the company loses several hundred thousand dollars. In the end, it’s leaked to the press that confidential data has been lost, which causes tremendous damage to the company’s reputation. 

Acronis Active Protection extended to fight Cryptojackers

The good news is that you can avoid this scenario with Acronis Active Protection-enabled products like Acronis True Image 2019 Cyber Protection and Acronis Backup. As a cyber protection company that cares about data safety and constant availability, Acronis has watched the evolution of cryptojackers closely. In addition to the potential threat to data availability and manageability, many strains of cryptomining malware often add a ransomware payload as well, so it was clear that Acronis Active Protection’s set of technologies needed to be upgraded to protect against illicit cryptomining.

The set of heuristics that are a foundation of Active Protection was expanded to detect the following scenarios on a Windows system:

  • Suspiciously high CPU loads. The definition of “excessive” can be adjusted in real time and can be instantly changed by Acronis’ security experts.
  • Use of Event Tracing for Windows (ETW). Cryptojackers make network requests to connect to known mining pools; Active Protection can identify and filter out such requests. 
  • Windowless processes. In order to stay hidden, most cryptojackers will not create a window. Acronis Active Protection monitors for windowless operations.
  • Launches with specific command line arguments. Some specific command line arguments are typical of cryptomining activities, so it watches for these as well.


Those four scenarios cover all the known threats from illicit mining, so detecting them allows Acronis to deliver the necessary protection.



For Acronis True Image 2019 users, cryptomining detection will look almost the same as ransomware detection.


When mining malware is detected running on the system, Acronis True Image notifies the user so they can make decisions of how to deal with it – blacklisting malicious processes and whitelisting a known process (if the user is running a legitimate mining app, for example). Acronis Active Protection does not include detection of browser-based cryptojacking, since those attacks are easily thwarted by browsers themselves or via 3rd party plugins that are readily available in browser stores.

Acronis’ experts also plan additional developments to make further enhance the detection of cryptomining malware. Among the refinements already in the works are:

  • More heuristics addressing actual illicit cryptomining warfare
  • GPU load detection, which is similar to the current CPU load monitoring
  • Building machine learning models using Acronis’ Artificial Intelligence Cloud, which will simply give a verdict as to whether there is illicit cryptomining activity or not. 


What else you need to do to defend yourself against Cryptojacking

Both home and corporate users need to follow some security rules to be on a safe side. In addition to using solutions that include Acronis Active Protection, we recommend the following to combat illicit cryptomining attacks:

  • Install quality anti-malware software. Good security software recognizes and protects a computer against cryptomining malware, allowing the user or admin to detect and remove an unwanted program before it can do any damage. 
  • Keep your software and operating systems up-to-date. Install updates and patches regularly to cover known vulnerabilities. 
  • Avoid downloading files from shady websites and be very careful with email attachments. Do not open attachments from any recipients you don’t know, confirm the sender’s email address, and always scan attachments using security software.
  • Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases that consist of at least 16 characters, and can’t be beaten by a simple dictionary attack. 
  • Change default usernames and passwords according to recommendations above. Default usernames and passwords are readily available to anyone on the internet. 
  • Apply application whitelisting, which is usually a part of an internet security suite or endpoint protection product. It will help you to prevent unknown executables from launching autonomously.



2
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free