Cryptominers: The New Top Threat to Your Endpoints

Ransomware has been dominating headlines recently. In 2017, ransomware broke into the popular conscious, thanks to high-profile attacks like WannaCry and NotPetya. However, ransomware is no longer the top cybersecurity threat. According to the Comodo Cybersecurity Threat Research Labs’ Q1 Global Malware Report, ransomware has been replaced as the top cyber threat by cryptomining software, with 10 percent of malware incidents in the first three months of 2018 related to cryptomining.

There’s no “one size fits all” solution to deal with cryptominers. However, with data-level visibility into all file activity on your endpoint devices, you can locate and remediate cryptominer infections.

A paralyzing threat that’s hard to see

Cryptominers hijack resources from the owner of a device for the attacker’s profit. On a single machine, cryptominers may cause a performance drain, but it can be subtle enough to go unnoticed by a user. However, cryptominers don’t typically infect just one machine; attackers more commonly deploy botnets of infected systems working in tandem to make their money off of your equipment–and potentially your customers. One system vulnerability is invariably linked to many others, which means your whole network could potentially be exposed to further exploits and other cybercriminals.

In addition to exposing your customers to risk, a widespread cryptominer infection can cause an enterprise-wide resource drain that can also have real effects on productivity. Cryptomining also comes with huge energy costs. A big spike in your electricity bill is one of the surest signs of illicit cryptomining in your enterprise. 

Locating cryptominers can be tricky. Some variants are scripts embedded in websites that can be addressed with ad-blocking software. Others (which tend to target large enterprises) aren’t as easy to deal with. More sophisticated miners are often hidden within image files on compromised web servers. When users visit a compromised site or click an email link, the cryptomining tools attempt to plant the malicious image files on their machines.

Rooting out cryptomining software

If you have a data visibility tool that can search across your organization’s endpoints for specific files and file metadata, you can locate malware in your organization. In the case of cryptominers, using a forensic file search tool to search for javascripts associated with known cryptomining tools can tell you where those scripts exist. Once located, the infected endpoints can simply be deleted. In the case of more serious infections, the machine can be reverted back to a point before infection with your endpoint backup solution. 

Cryptomining software is one of the more challenging malware categories to deal with because there are so many varieties in existence. And, because the impact on an individual machine may be minimal, it is tempting to just ignore the problem. But, according to Malware Bytes, “unmanaged cryptocurrency miners could seriously disrupt business or infrastructure-critical processes by overloading systems to the point where they become unresponsive and shut down.” With comprehensive visibility into the data and metadata in your organization, you can more quickly identify and respond to cryptominers when you first suspect infection.

What If Ransomware Was Just an Annoyance Rather Than a Crisis?

Imagine this: despite a strong firewall, your department is attacked by the latest ransomware that locks up all your employees’ devices right in the middle of the day, effectively stopping work.

Fifty minutes later, every device is back up and running, employees are back to work, your phone has gone blessedly silent, and the package of Tums you keep in your desk drawer lays undisturbed. And…you haven’t paid the ransom.

It’s possible. Here’s how.

It’s not just ransomware itself that’s a threat to businesses; it’s the increasing pace at which it evolves into ever more powerful superbugs that infect systems and evade detection.

The knee-jerk reaction from some in the security space: try to keep up with ransomware’s mutations by evolving prevention faster than the threat. But that game does not end in a winning proposition. While you may be able to defend your most valuable servers, it’s not uncommon for the attacker to find their way in through your endpoints. Faced with this reality, many companies are now just paying off ransoms with cryptocurrency, a short-sighted solution that doesn’t always work and that only makes you the target for more ransomware attacks.

Here’s a better approach: Adapt your preventative defenses, but work in parallel to deploy a ransomware-proof recovery plan for all of your vulnerable devices—including every endpoint.

What does a ransomware-proof recovery plan for endpoints look like? Here’s a quick step-by-step guide:

  1. Take stock of every endpoint device in your organization.
  2. Back up the data on every endpoint device. The more frequently you back it up, the less data you are at risk of losing in a ransomware attack. Backing up every 15 minutes is best practice.
  3. Back up your endpoint data in a solution independent of your cloud collaboration software. Ransomware can infect shared folders and, in some cases, spread it to other devices even faster.
  4. Confirm that your backup storage is not susceptible to ransomware attack.

With this recovery approach in place, any endpoint device locked by ransomware can be unlocked by wiping the device and fully restoring the user’s data from your backup stores. With practice and a well-documented process, users can be up and working in less than an hour after a ransomware attack.

Good prevention tactics will help reduce the cost and disruption caused by ransomware, but won’t eliminate your risks. Enacting a recovery plan that accounts for every endpoint is the most important next step you can take to limit ransomware’s impact on your organization.