Crypto Malware: What it is and how to stay protected

Crypto malware is designed to take control of your computer to mine cryptocurrencies—without you even realizing it. Don’t want cybercriminals to take advantage of you? Here’s what you need to know about crypto malware attacks and the steps you can take to protect yourself.

What is crypto malware?

Crypto malware, also known as crypto-malware, is a type of malware that aims to exploit a victim’s device for unauthorized cryptocurrency mining without detection. The attackers gain computing resources and, hence, more crypto, while the victims might experience a slower computer and higher electricity bills—with no payoff. This is also known as crypto jacking.

How does crypto malware work?

To understand crypto-malware, we must first understand how crypto-mining works. To mine crypto, a computer solves puzzles using an algorithm on the blockchain. The more puzzles the computer solves, the more cryptocurrency a user is rewarded with. This process is slow and uses an incredibly high amount of computer processing power and energy. This makes mining an expensive activity, which is why cybercriminals look to offset this cost by mining cryptocurrency using other people’s devices with crypto malware.

Crypto malware vs. crypto-ransomware: Key differences

Crypto malware and crypto-ransomware share the same end goal: obtaining cryptocurrency for the attackers. But their attack methods are completely different.

Crypto malware aims to run in the background, undetected, for as long as possible. It uses the victim’s computer’s resources to mine cryptocurrency, and the attacker does not expect direct payment from the victim.

Crypto ransomware attacks are just like any other ransomware attack. The attacker locks the victim’s device or system, holding it for ransom. Cryptocurrency is the direct payment they seek in exchange for returning the victim’s access. As malware infections typically start ransomware attacks, it can be said that crypto-malware can cause crypto-ransomware.

Read more: How to prevent ransomware

How crypto malware infects devices

Crypto malware is spread much the same way as any other malware. Here are some methods cybercriminals use to infect a device with crypto-malware.

Infection methods used by hackers 

• Phishing emails: By using social engineering, cybercriminals trick recipients into installing malware through infected attachments or malicious links. Crypto malware is disguised as legitimate software that, when installed, embeds malicious code into applications and programs.

• Malicious websites or apps: When the victim visits the compromised website, JavaScript code runs automatically, allowing attackers to cryptojack. These types of crypto-malware attacks are harder to detect as the malicious code is stored in the browser rather than on the device.

• Compromised accounts: If cybercriminals gain access to user accounts, they could install crypto malware on personal or corporate systems.

How cybercriminals use your device for crypto mining 

If a cybercriminal infects your device with crypto-malware, it runs silently in the background, hijacking your CPU and GPU to solve complex mathematical problems required for cryptocurrency mining. This can severely degrade your device’s performance and significantly increase energy consumption, often without any obvious on-screen signs of mining.

How to recognize signs of crypto-malware infection

While a crypto-malware infection might not be immediately obvious, there are several symptoms you can look out for. These include:

• Decreased system performance: If your device becomes unusually slow or unresponsive, it may be because crypto-malware is consuming significant processing power for unauthorized cryptocurrency mining. 

• Increased CPU usage: A sudden and sustained spike in CPU usage, especially when the system is idle or running minimal applications, could indicate a crypto-malware infection. Check your Task Manager (Windows) or Activity Monitor (macOS) to identify unexpected resource consumption.

• Overheating devices: Continuously high CPU usage from unauthorized mining can cause your device to overheat, potentially leading to hardware damage. If your device frequently overheats without apparent reason, crypto malware could be the culprit.
• Unusual network activity: Crypto malware often communicates with external servers to receive instructions or transmit mined data. Unexpected network connections or data transfers may signal an infection, particularly to unfamiliar destinations.
• Unauthorized file encryption: Crypto ransomware encrypts your files and demands a ransom for decryption. If you notice that your files have become inaccessible or their extensions have changed unexpectedly, it could be a sign of ransomware activity.
• Disabled security software: Some crypto-malware attempts to disable antivirus and anti-malware programs to avoid detection. If your security software is unexpectedly turned off or unresponsive, it may be due to malicious interference.

If you observe any combination of these symptoms, your device has likely been infected with malware. 

The rise of crypto-malware attacks

Why are crypto-malware attacks on the rise?

For cybercriminals, the use of crypto-malware could mean easy money. Once the malicious code is installed on the victim’s device, it runs independently and indefinitely in the background. They don’t have to collect data or sell it; crypto malware mines a steady stream of cryptocurrency, making it very profitable.

Other types of crypto cyberattacks, like ransomware, can also be effective for criminals. It’s nearly impossible for victims to recover their files without paying the ransom. Cybercriminals also value cryptocurrency’s anonymity, which makes tracing them harder and reduces the probability of getting caught. This is why staying vigilant and protecting yourself against attacks is so important.

How cryptocurrency adoption impacts cybercrime 

The meteoric rise in popularity of cryptocurrencies has also brought about a rise in the use of cryptocurrency in cybercrime. It might sound obvious that the increased adoption of crypto makes it an ideal target for cybercriminals, but there is another reason—anonymity.

As mentioned in the section above, cybercriminals value the anonymity cryptocurrencies provide. Traditional banking and physical currency meant that it was easy for law enforcement to trace the activities of cybercriminals and arrest them. Transactions made using cryptocurrency do not require personal information like a bank account or credit card, and their decentralized nature makes it very difficult to trace bad actors. 

The prevalence of crypto cybercrimes seems to fluctuate in frequency, coinciding with the rise or decline in cryptocurrency values. However, this does not mean that you’re safe from crypto-related cybercrimes when the value of crypto drops. You still should always stay vigilant for signs of these attacks.

What industries are most affected by crypto malware?

Like most cyberattacks, crypto-malware is known to predominantly affect industries that are vulnerable due to operational and data sensitivity.

• Government: Government agencies are prime targets for crypto-ransomware attacks. The critical nature of their services and the sensitive information they handle make them attractive to cybercriminals seeking ransom payments.

• Healthcare: The healthcare industry faces significant threats from crypto-malware, particularly ransomware. Attacks on healthcare systems can compromise patient data and disrupt essential services.
• Finance: Financial institutions are frequent targets due to the potential for direct monetary gain. 
• Education: Educational institutions often lack robust cybersecurity measures, making them susceptible to crypto malware attacks. 
• Critical manufacturing: Ransomware attacks on manufacturing plants can disrupt production lines and operations, leading to significant downtime and financial losses.

Notable crypto malware attacks (real-world cases)

CryptoLocker

CryptoLocker is malware that encrypts your files and holds them for ransom. It is a type of crypto-ransomware. Encryption works by relying on two “keys,” one public key and one private key. Attackers use the public key to encrypt and lock your files. The program will demand a ransom payment to decrypt your files, as only the attackers hold the private key that can decrypt them.

Prometei Botnet

Botnets are a network of computers infected with malware and controlled as a group without the victims’ knowledge. Prometei Botnet aims to install itself on as many devices as possible to mine the Monero cryptocurrency. It is an opportunistic malware (it targets victims randomly) and uses known exploits to spread itself across a network of devices. Prometei Botnet has been found across the U.S. and Europe.

PowerGhost

PowerGhost is a fileless crypto malware that is known to attack corporate servers and workstations, embedding and spreading itself undetected across endpoints and servers. It is capable of disabling antivirus software and other competing cryptocurrency miners to evade detection and obtain maximum yield of cryptocurrency from an infected device.

WannaMine 

WannaMine is crypto-malware that secretly mines Monero, a type of cryptocurrency, using a computer’s processing power. Instead of using traditional files, WannaMine runs directly on your device’s system memory, making it hard to detect. Once inside, it hijacks the computer’s resources, slowing it down and causing other performance issues like overheating.

BadShell 

BadShell is malicious software that uses built-in Windows tools to mine cryptocurrency without needing to download any files. It operates by injecting harmful code into legitimate Windows processes like PowerShell and Task Scheduler, making it difficult for standard antivirus programs to detect.

CoinMiner 

CoinMiner is malicious software that infiltrates a computer to mine cryptocurrencies like Monero without the user’s knowledge. It consumes significant processing power, leading to slower system performance and increased energy usage. CoinMiner often spreads through malicious email attachments, infected websites, or software vulnerabilities.

HiddenMiner

HiddenMiner is malicious software that infects Android devices to mine the cryptocurrency Monero without the user’s knowledge. Disguised as a legitimate app, it tricks users into granting administrative rights, then hides itself and continuously mines cryptocurrency. This constant activity can cause devices to overheat, perform poorly, and even fail.

Read more: The biggest crypto thefts of all time

How to detect and protect yourself from crypto-malware

Crypto malware is built to avoid detection and make unauthorized use of computer resources to mine cryptocurrencies. It’s a serious threat to your device and potentially your data. Plus, who would want a stranger profiting off them? Here are some measures you can take to prevent crypto-malware attacks.

1. Keep all your software and devices up to date

Declining software updates increases the likelihood of attackers exploiting unpatched systems. Where possible, enable automatic updates on your devices and apps, as keeping your devices updated ensures a baseline level of security.

2. Monitor your network for suspicious activity

One way to be aware of what’s happening with your devices is to monitor your network for suspicious activity, such as unrecognized traffic. 

How to use network monitoring tools 

One of the easiest and free ways to monitor your network is to check your Wi-Fi router log. You can do this on any device by following these steps:

1. Connect to your router’s Wi-Fi network. Ensure your phone is connected to the Wi-Fi network of the router you want to manage.
2. Open a web browser. Launch a web browser on your phone or computer.
3. Enter the router’s IP address. Type the IP address of your router in the browser’s address bar. Common IP addresses include 192.168.1.1 and 192.168.0.1.
4. Log in to your router. Enter the admin username and password. If you haven’t changed these, the default credentials are in your router’s manual or on a sticker on the router itself.
5. Navigate to the logs section. Once logged in, look for the section labeled “Logs,” “System Logs,” or “Security Logs.”

If your router does not log activity on your network, you can also check your device system logs. Device system logs are typically buried in your settings menu, and the steps to get to them vary by device type and operating system. Try searching for “device logs” using the device’s search function; consult your device manual if that yields no results. 

While task managers can help identify software that is hogging your system resources, it does not help identify suspicious network traffic. It’s best to consult your task manager and network monitoring tools to identify suspicious activity on your device.

Another option to consider is investing in network monitoring software, but choose one from a reputable provider with strong privacy protections.

Common signs of crypto-malware activity on your network

Not sure what to look out for when monitoring your network? Here are some common network-related signs of malicious software.

• Unusual outbound traffic: Crypto malware often communicates with external servers to receive commands or transmit mined data. An unexpected increase in outbound connections, especially to unfamiliar or suspicious IP addresses, can indicate an infection. 
• High network bandwidth usage: If your network experiences unexplained spikes in bandwidth consumption, it may be due to crypto-malware utilizing your resources for mining activities. 
• Connections to known malicious domains: Regularly scanning your network for communications with domains associated with crypto-malware can aid in early detection. A simple Google search can pull up a list of known malicious domains.
• Unexpected network scanning: Infected devices may scan the network to identify other vulnerable systems. Detecting unauthorized scanning activities can help prevent the spread of malware within your network.

3. Back up your files regularly

To protect yourself against data loss, like in the event of a ransomware attack, you need to keep multiple copies of important files, ideally in diverse locations that you control. If your computer gets locked with ransomware, you could potentially abandon it rather than pay. Learn more about backing up your files and encrypting them.

4. Use strong passwords and enable multi-factor authentication

A strong password is your first defense against unauthorized access to your accounts. Pair it with two-factor authentication for an additional layer of security. The ultimate password power move is to use a password manager. Password managers can generate strong passwords, securely store them, and automatically fill them into login screens.

5. Avoid clicking unknown links or email attachments

Clicking unknown links or opening unexpected email attachments can expose your device to crypto-malware. To stay safe, avoid clicking on links from unknown senders, double-check URLs before visiting websites, and be cautious of emails urging urgent action. When in doubt, always verify before you click.

6. Install a trusted antivirus and firewall 

Downloading and installing legitimate antivirus software is among the best measures to protect your computer against viruses and malware. Choose a reputable antivirus program that offers comprehensive protection, including real-time scanning, threat detection, and removal capabilities.

7. Use a VPN for added security and privacy

While ExpressVPN won’t remove malware, it’s key to protecting your privacy online. By encrypting your internet traffic and masking your IP address, ExpressVPN keeps your browsing, streaming, and other online activity safer from hackers, trackers, and anyone else trying to monitor you. It’s especially helpful when using public Wi-Fi or accessing content from different locations, adding an extra layer of security that an antivirus alone can’t provide.

Get ExpressVPN