Tallying Up the Hidden Costs of Cryptomining Malware

When the price of Bitcoin and other cryptocurrencies surged in December 2017, "mining"—the act of solving computationally complex tasks to procure new coins—became all the rage.

Cryptocurrency miners sought ways to buy, build or steal the computational power needed to out-calculate other miners. Top-of-the-line graphics cards—used for creating the parallel-computing systems needed to compete for coins—sold out across the Internet. Cyber criminals loaded up their favorite malware with payloads that could turn compromised systems into cryptomining botnets. They also attacked websites, such as Showtime's homepage, using Javascript code that co-opted visitors browsers for their processing power.

In 2017, the use of coin-mining malware jumped by a factor of 85, according to Symantec's 2018 Internet Security Threat Report.

"It went from almost nothing to a large number of people participate in mining in almost no time," said Kevin Haley, director of product management for Symantec's Security Technology and Response.

The menagerie of malware, cryptocurrency-mining payloads—often referred to as cryptominers or, in the case of browser extensions, cryptojackers—may seem relatively benign, but there is a cost. The code can cause high usage of a computer's central processing unit (CPU) or graphics process unit (GPU). The upshot: devices slow down, batteries overheat and system lifespan winds up getting curtailed.

While many cryptominers often tamp down their activities to avoid detection, often times the software is installed with a default configuration, using up all available resources, said Troy Mursch, an independent security researcher and owner of the Bad Packets Report.

In a paper published with researchers at Concordia University, Mursch found that thousands of websites had adopted cryptojacking and that most used about 25 percent of a user's CPU. More recent Android-focused malware, known as ADB.Miner, spread through thousands of devices in China and South Korea, consuming 100 percent of their processing power.

Even in cases where consent is given, Mursch noted, users often do not understand the impact of the mining code on their systems.

"Bottom line, the fact remains is they are stealing your computation, electricity and power to mine currency," he said.

Power Play

While cryptocurrency mining may not cost individuals a great deal, the cost overall is staggering. The calculations needed to verify the Bitcoin ledger and mine currency—known as proof of work—requires more than 70 terawatt-hours each year, enough to power 6.5 million U.S. households, according to the site Digiconomist.

With cryptomining malware and cryptojacking, the miners pass along those costs to the owners of the host systems. Most currencies require increasingly complex computational effort to acquire coins. Based on the average electricity price in different states, for example, Crescent Energy Supply calculated that a single Bitcoin costs anywhere from $3,224 to $9,483 in power.

Using other people's systems to mine cryptocurrency may be the only way to make the effort profitable.

Unfortunately, the complexity naturally means that a greater number of compromised—or cooperating—systems need to be linked together to generate money.

"Eventually, with cryptocurrency, a lot of people will stop doing it," Symantec's Haley said. "But a lot of people will say—if I'm making only half as much, I need to double the number of machines. So the problem will get worse before it gets better."

Defending Against Mining

Companies have already started taking steps to blunt the impact of mining. Google had allowed cryptomining extensions to be hosted in its Chrome Web Store as long as the extension had a single purpose and a clear consent, but recently banned all cryptomining extensions from the marketplace. In addition, the company is reportedly working on an update that will limit certain Javascript programs from consuming a significant amount of CPU time.

"If they would do something like that, it would be fantastic," Mursch said.

In addition, most security software detects cryptomining programs and blocks them.

Mursch does not expect the cyber criminals and currency speculators stopping any time soon. Cyber criminals use malware to make money from compromised systems. The most popular ways to turn computers into cash is to hold the data hostage (ransomware), corral a large number of computers to attack other systems (botnets), or use the computers to accomplish another goal. Cryptomining falls into the latter category.

It also means that as long as cryptocurrencies allow someone to turn computing power into cash, cryptominers and cryptojacking will continue.

"For this to stop, we would have to get past proof-of-work of cryptocurrencies," Mursch said. "It is going to be part of the hackers’ toolkit. It is not going to replace ransomware or extortion. The hot cryptocurrency is Monero, but there are others coming down."