A Way to Help Locate Hidden Cryptojacked Systems

In the world of information technology, there is a wide variety of software products and tools available for anyone to use. For the most part, these applications are designed to perform something of value for their users. From spreadsheets to computer games, the vast majority of software can be classified as harmless as long as it is used responsibly.

Unfortunately, not all software is written with good intentions. Many different forms of malicious software, better known as malware, exist and are used by bad actors for a variety of reasons. In some cases, the hackers are looking to cause havoc or destroy data residing on the infected systems. This type of malware is usually discovered after it has done at least some of its intended damage.

There are often financial incentives driving the spread of malware as the unscrupulous culprits attempt to profit from their activities. Ransomware is a prime example of malware that is weaponized for financial gain. In a ransomware attack, data is encrypted by the malware and held for ransom. The decryption keys required to access the organization’s data are provided once the money, often in bitcoin, is transferred to the criminals.

You will be notified that you have been hit with ransomware. The attackers need to let you know they are in your systems to convey their demands. Once the attack begins, there is no attempt made to hide it from its victim.

Cryptojacking is Different

Cryptojacking employs a more covert strategy as it attempts to achieve financial benefits for its perpetrators. Cryptojackers are interested in surreptitiously using an organization’s computing power to mine cryptocurrency on their behalf. They hijack a system’s CPU or GPU and direct them to run the processor-intensive algorithms that are used to mine for cryptocurrency.

The goal of a cryptojacking attack is to gain access to the processors while remaining unobserved. In this way, the malware can be a continuous drain on computing resources while it continues to mine. It’s much quieter than an attack by ransomware or disk-wiping malware, but it can have serious repercussions for the affected enterprise.

The reason that hackers want to use someone else’s computers or devices to mine cryptocurrency is that it is an expensive proposition to do by themselves. The most efficient way to mine is by using a network of connected machines to share the load of processing the complex mathematical calculations involved in mining. Infecting multiple machines in an environment is the preferred method of cryptojacking which also needs to include a way of communicating the results of the calculation back to the perpetrators.

Systems that have been infected with malware may experience several detrimental issues. They include:

  • High processor usage caused by the mining routines;
  • Inexplicably slow respond time;
  • Excessive heat generation.

These symptoms are all the result of the processors being used for crypto-mining rather than their usual functions. The additional costs in cooling the devices and the loss of enterprise resources can add up over time. Slow response time can drive customers away from your site.

While a ransomware attack may be more dramatic, cryptojacking can be equally harmful to the victim. If an organization spends $1000 ransoming a database or purchasing additional and unnecessary CPU power, they are still out the same amount of money. Electricity for cooling and slow response time may add up to a substantial sum over the time that systems are being cryptojacked. It’s a deviously subtle method of extracting financial gain from the victim’s computing power while trying to remain unnoticed.

Identifying Potentially Cryptojacked Systems

Due to the secretive nature of cryptojacking, it can be difficult to know when systems have been compromised. Your computing infrastructure will be affected but in most cases, systems will continue to operate with degraded levels of performance. Some things to look for are slow systems, unexplained spikes in CPU or GPU usage, and unexpected outbound data transmission. Differentiating cryptojacking from other issues that can impact your systems demands that you think out of the box.

Antivirus and malware detecting software are essential weapons with which to protect your systems. However, they don’t always catch everything and there could be cryptojacking software spread out over your infrastructure at this very moment. One way to identify systems that may have been hit is through the use of monitoring. Comparing current trends in usage and response time against historical baselines can point to systems that are not acting as expected. You might be wondering why systems are inexplicably sending outbound data at regular intervals. If other causes of the problems can be eliminated, it may be time to fully scan and remove any programs or apps that shouldn’t be there.

IDERA’s Uptime Infrastructure Monitor can serve as a valuable tool for identifying cryptojacked systems through its comprehensive set of features. While it is designed to help maintain server performance and availability, the tool provides information that can be used to isolate servers which may have been cryptojacked as well. It can help you find those apps lurking in the background and get rid of them so they stop siphoning off resources that belong to your organization.

Anonymous