How to stop cryptojacking and the theft of your computing resources

Cryptojacking is defined as hijacking your desktop / laptop computer, mobile device, or server to surreptitiously mine cryptocurrency for someone else’s profit. In other words, it’s the theft of computational resources (CPU) and energy (electricity).

Cryptojacking most commonly happens through a web browser. Malicious cryptomining scripts (sometimes referred to as coinminers) are frequently found being injected on compromised websites. Some affected sites have been of well-known organizations and government institutions. Many of the hacked sites found were using vulnerable content management systems or compromised third-party services.

Cryptojacking is typically resource intensive as malicious cryptocurrency mining consumes all CPU resources available. This is because the amount of CPU power used correlates to the speed at which hashes can be generated (mined). The faster hashes are mined, the faster money is made.

High CPU usage caused by cryptojacking
High CPU usage caused by cryptojacking can be observed using the Task Manager.

Mined hashes are sent via a WebSocket connection to a mining pool or a service provider such as Coinhive. While Coinhive remains the market leader, I previously documented how to find other forms of cryptojacking malware that have grown in popularity.

Coinhive websocket traffic shown in Fiddler.
Coinhive websocket traffic shown in Fiddler.

MinerBlock

Cryptojacking can be stopped by using a browser extension designed to block malicious cryptocurrency mining scripts.

minerBlock

I recommend using MinerBlock to stop cryptojacking in your browser. This is an easy solution which requires no additional configuration out of the box. MinerBlock prevents cryptojacking using two methods: a frequently updated blacklist and detection of JavaScript executing cryptomining behavior. It’s available for Chrome, Firefox, and is open source.

CoinBlockerLists

Another effective method to stop cryptojacking is at the network level (firewall) to prevent the malicious code from reaching your endpoints. I recommend using the CoinBlockerLists for this purpose. These lists are constantly updated as new malicious domains are frequently found.

The lists are available in various formats to easily integrate with your existing solution. A FireHOL feed is also available. For MacOS users, this guide illustrates how the CoinBlockerLists can be implemented using firewall software Little Snitch. Other methods such as DNS filtering using Pi-hole can be used with the CoinBlockerLists.

Resource monitoring

As an independent security researcher, I don’t recommend a specific endpoint protection product for enterprises. Many antivirus / antimalware products such as Malwarebytes, ESET, Avast, Kaspersky, and Windows Defender will block most forms of cryptojacking and coinming malware.

Even with some form of AV protection, resource monitoring of your on-premise and cloud infrastructure is critical. High CPU usage over a sustained period of time is the most apparent indicator of compromise in cases of cryptojacking. Consuming excessive computational resources will increase your cloud service provider bills and energy (electricity) costs.

PRTG logo

Personally, I use PRTG for all my monitoring needs. Paessler recently published a case study featuring my use of the PRTG to monitor cryptojacking incidents. The impact of resource abuse and theft highlights the importance of monitoring. PRTG is free to use up to 100 sensors and can be downloaded here.

If you’d like to learn more about my work and what others are saying about it, please view my references page. I also coauthored a research paper, A first look at browser-based cryptojacking, for further reading on this topic.

As always, I’m most active on Twitter — follow me @bad_packets.

Leave a Reply