Wiz Defend is Here: Threat detection and response for cloud
Eliminate Critical Risks in the Cloud

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

Cryptojacking Explained

Cryptojacking is when an attacker hijacks your processing power to mine cryptocurrency for their own benefit.

6 minutes read

What is cryptojacking?

Cryptojacking is when an attacker hijacks your processing power to mine cryptocurrency for their own benefit. This can occur either on a computer you own and control on-premises or on virtual machines in the cloud.

Cryptojacking uses malicious code embedded in websites or malware installed on your device to exploit your resources without your knowledge. This slows down devices, blocks legitimate users from accessing your resources, and could also leave you with sky-high cloud costs. There are many other potential negative repercussions for businesses and individuals, from loss of data privacy to the inability to keep using affected systems.

To understand what cryptojacking is and how to prevent it, let’s take a look at a few basic facts about cryptocurrency.

Cryptocurrency and crypto mining

Cryptocurrency is a type of digital money; it gets its name from the fact that it is encrypted for security. The main characteristic distinguishing cryptocurrencies from standard, or fiat, currency is decentralization. This means cryptocurrencies are not controlled by a single central entity (like a bank or a government). Instead, a secure public record called the blockchain verifies and tracks all transactions to ensure transparency and trust.

To securely create new coins, most cryptocurrencies must be mined, meaning a user solves a very complex encryption puzzle. The miner is rewarded for this work with very small payments made using the cryptocurrency being mined.

Since the rewards for crypto mining are very small, users must mine a lot of cryptocurrency in order to generate reasonable profits. This does not provide a good model for legitimate mainstream businesses wishing to profit from crypto mining. Law-abiding organizations are limited by the number of CPUs they have available. They must either purchase physical infrastructure or pay for cloud resources, costs that they might not recoup from crypto mining’s small proceeds.

Malicious actors have found a better way to profit: illegally hijacking victims’ devices to mine cryptocurrency—hence the term cryptojacking—while they sit back and reap the rewards.

Cryptojacking malware

Unlike other types of malware, cryptojacking malware won’t necessarily shut down your computer or destroy your data. Threat actors deploying cryptojacking malware generally want everything functioning in tip-top shape.

That said, standard cryptojacking malware will almost certainly compromise your device’s performance. Mining crypto ties up the CPU so that it’s too busy to handle legitimate requests. In the cloud, this could also lead to the creation of additional instances to handle what is perceived as extra load, potentially driving cloud costs into the stratosphere.

Advanced cryptojacking techniques, such as proof-of-storage cryptojacking malware, won’t have the physical side effects and impact on computing power but could seriously drive up cloud bills, scaling up storage to major proportions without your knowledge or consent.

As with many other types of malware, the most common vector for cryptojackers is social engineering—tricking a user into clicking a link that will, in turn, download and install the malicious cryptojacking application.

Why is cryptojacking a major cloud cybersecurity threat?

At first glance, cryptojacking may seem like a less serious threat than much of what’s out there today. Yet the repercussions for the organization can be serious:

  • Spiraling costs: Hidden mining increases resource costs and your overall cloud services spend.

  • Performance problems: Stolen processing power slows devices, harming individual and organizational productivity. Cryptojacking decreases the efficiency and speed of genuine computing workloads, affecting legitimate users like employees, customers, and end users.

  • Privacy and security risks: Since cryptojacking malware has already gained access to your environment, it can simplify lateral movement to help attackers achieve other goals, like stealing sensitive data.

  • Other attacks: Attackers may take advantage of the access they have already gained to your environment to introduce other types of malware, causing additional harm, such as exfiltration of confidential end-user or employee data.

Plus, cryptojacking profits are often funneled back into other cybercrime activities, broadening the scale of the harm malicious actors are able to achieve.

Three types of cryptojacking

These are the most common ways attackers can steal your resources to make money through cryptojacking:

Method of AttackHow it worksHow its differentImpact
1. Browser-based cryptojackingRuns directly in the browser, no software install requiredMalicious code loads right in the browser on a website, using your browser’s resources to solve complex math problems for cryptocurrency mining
  • Undetectable by users
  • Slower browsing
  • Higher CPU usage
  • Unreliable performance
2. Host-based cryptojackingMalware infects the device, using your processing power (CPU/GPU) to mine cryptocurrencyPersistent files left on system may make detection easier
  • Overall slowdown
  • Laggy, unreliable performance
  • Extreme heat and power use (for on-premises devices only)
3. Memory-based cryptojackingUses complex techniques like code injection and memory manipulation to access and manipulate RAM (memory)Operates in real time almost entirely within RAM, leaving no trace
  • Greater resource consumption, as with the other two types

Some cryptojacking malware may also use a hybrid approach that takes advantage of browser and host.

Anatomy of a cryptojacking attack

Most cryptojacking attacks follow a fairly standard methodology:

  1. An attacker creates crypto-mining software and hides it in a website, within application code, or behind an innocuous-seeming link.

  2. A victim connects, unknowingly downloading the software.

  3. The software silently uses the victim's CPU or other resources to mine cryptocurrency by solving cryptographic “puzzles” and reaping rewards in cryptocurrency. Rewards accumulate in the attacker’s crypto wallet, and the cryptojacking persists until it’s detected—which could be a very long time.

Advanced cryptojacking malware may also use “worm” abilities to spread laterally throughout the environment, infecting connected resources. This maximizes gains for the attacker while multiplying the potential damage within your organization.

Your 5 best defenses against cryptojacking

1.Deploy modern cybersecurity protection

Today’s protection must include endpoint detection and response (EDR) for all physical devices, along with cloud detection and response (CDR), which monitors, detects, and provides response capabilities for  all cloud-based resources. As part of your overall approach to security, EDR should restrict unauthorized scripts, using ad blockers if possible, and block access to sites based on reputation.

In addition, CDR streamlines security in cloud environments, giving you deep visibility across VMs, containers, serverless functions, and your entire infrastructure. That means you can pinpoint threats quickly and set up automated responses that save work for your team, like quarantining workloads or network isolation, ensuring nothing falls through the cracks. 

2. Keep software and systems regularly updated

Patching should be the cornerstone of your organization’s proactive defense against cryptojacking, ideally incorporating automation to cut the IT team’s workload. Patch management identifies and installs software updates to fix vulnerabilities and bugs, along with other improvements such as performance enhancements and new features. Cryptojacking often takes advantage of software vulnerabilities, including long-standing vulnerabilities, so choose a modern patching solution that helps you prioritize so your most sensitive assets are patched first.

3. Keep an eye on cloud costs

Regularly monitor your cloud spend to avoid unpleasant surprises caused by cryptojacking. In one case, Microsoft analysis identified $300,000 in excess compute fees. Unexpected surges in compute or storage fees can indicate unauthorized resource utilization. Cloud cost management tools and spending alerts can help you flag anomalies early on, ensuring that you can take corrective action and avoid potential losses.

4. Train employees on phishing and avoiding suspicious links/attachments

Educating employees on social engineering tactics like phishing can significantly reduce the risk of cryptojacking infection. However, it’s important not to rely solely on this line of defense given the increasing sophistication of malware attacks. Beyond ensuring that employees are equipped to identify suspicious communications and sites, be sure to minimize attack surfaces. The principle of least privilege (PoLP) grants only essential permissions to users, software, and devices, reducing the potential impact of breaches. And remember to regularly remove unused accounts to further tighten security.

5. Implement real-time monitoring and threat detection

One of the hallmarks of cryptojacking malware is that it can remain hidden for long periods of time, staying under the radar of many threat detection systems while it continues generating profits for attackers. That’s why real-time threat detection is crucial. An effective CDR solution will incorporate behavioral analytics, identifying anomalies in your organization’s patterns of cloud server use—for example, in system logs, network traffic, and commands—with the goal of stopping crypto mining before it impacts your business.

Defending against cryptojacking with CNAPP

Wiz is a cloud security platform that proactively identifies and remediates vulnerabilities and misconfigurations that cryptojacking malware could exploit to gain a foothold. On top of this the CDR capabilities can identify and remediate even the most advanced malware.

As a cloud native application protection platform (CNAPP), Wiz empowers your organization to stay ahead of attackers and secure your cloud environments in several ways:

  • Unmasking hidden cloud risks based on your critical and most exposed assets

  • Prioritizing real threats, not CVEs, using Wiz’s “toxic combinations” score that’s based on real impact to your business

  • Putting an end to alert fatigue with clear, with high efficacy detections and  remediation guidance

Wiz gives you centralized control for all security, and it’s scalable and agentless—meaning there’s never anything to install. Plus, you’ll get seamless integrations and AI insights. See for yourself. Get a demo and experience the simplicity and security Wiz brings to your entire cloud environment.

Continue reading

What is Data Detection and Response?

Wiz Experts Team

Data detection and response (DDR) is a cybersecurity solution that uses real-time data monitoring, analysis, and automated response to protect sensitive data from sophisticated attacks that traditional security measures might miss, such as insider threats, advanced persistent threats (APTs), and supply chain attacks.

What is a Data Risk Assessment?

Wiz Experts Team

A data risk assessment is a full evaluation of the risks that an organization’s data poses. The process involves identifying, classifying, and triaging threats, vulnerabilities, and risks associated with all your data.

AI Governance: Principles, Regulations, and Practical Tips

Wiz Experts Team

In this guide, we’ll break down why AI governance has become so crucial for organizations, highlight the key principles and regulations shaping this space, and provide actionable steps for building your own governance framework.