Microsoft: 644K PCs encounter cryptocurrency mining malware every month

Even though coin mining isn't inherently malicious, the presence of it on corporate networks can cause serious headaches for IT.

How hackers are cashing in on cryptocurrency mining
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Each month from September 2017 to January 2018, 644,000 computers on average were infected with malware for mining cryptocurrency. -- Microsoft, 2018
  • While cryptocurrency mining may seem like a simple nuisance, it is a serious threat to IT due to its ability to commandeer compute resources.

The popularity of cryptocurrencies like Ethereum, Monero, Bitcoin, and others has led to a surge in coin mining operations that are plaguing the enterprise. According to new Microsoft Windows Defender research, an average of 644,000 PCs per month encountered some form of mining malware between the months of September 2017 and January 2018.

The report simply noted that the computers "encountered" the malware, and didn't explicitly say they were infected. However, it does point out that the 644,000 machines were individual, unique computers--giving a startling picture of just how rampant coin mining malware has become.

These forms of malware, also known as cryptominers, are finding their way onto enterprise networks as well. Whether by a malicious attacker, or a rogue employee who wants to make some extra money, they have become a serious problem for enterprise IT.

SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)

Cryptocurrency and its mining are not malicious by nature, but they are often used in criminal transactions due to their anonymity. Many IT leaders tend to see cryptominers as a simple nuisance, but they should be regarded very carefully as they "eat up precious computing resources," the post said. This can lead to wear and tear on company hardware and cause productivity problems for the workforce.

In fact, Microsoft recently worked to block a cryptomining attack that targeted more than 400,000 machines. Known as Dofoil, or Smoke Loader, it was a trojan that used process hollowing to swap legitimate code with malware.

"We have seen a wide range of malicious cryptocurrency miners, some of them incorporating more sophisticated mechanisms to infect targets, including the use of exploits or self-distributing malware," the Microsoft blog said. "We have also observed that established malware families long associated with certain modus operandi, such as banking trojans, have started to include coin mining routines in recent variants."

The rise of cryptomining has coincided with a drop in ransomware attacks, the post said, as criminals may be shifting their methods. Additional threats include browser-based cryptocurrency miners through a technique known as cryptojacking and unauthorized use of legitimate coin miners.

IT leaders who want to avoid dealing with legitimate cryptominers on their office network should identify them as "potentially unwanted applications" (PUA) so they can be flagged. Trojanized miners, on the other hand, are classified as malware and will be automatically detected and blocked by Microsoft security products, the post said.

Also see