By Harish Chib, vice president for Middle East and Africa, Sophos
Cryptojacking has recently erupted onto the cybercrime scene, thanks to the surge in value during 2017 of cryptocurrencies such as Bitcoin, Monero, and Ethereum. Crooks are aggressively targeting laptops, desktops, servers, and even mobile devices to do the calculations needed to generate cryptocurrency. From a single device to entire networks, they infect as many devices as they can to mine for cryptocurrency on, or while using other people’s computers.
The difference between Cryptomining and cryptojacking
Cryptomining is the act of doing all the necessary – and quite frankly very complex – effort required to generate and work with cryptocurrency. It can be both legitimate or malicious, which is determined by several factors, most significantly whether you consciously agree to it.
Cryptojacking on the other hand is malicious cryptomining. Cyber criminals get code onto your devices
without your permission to mine for cryptocurrency using your equipment and your resources. They keep all the proceeds themselves while you get nothing for your hard work.
A common misconception is that the sole purpose of miners is to generate cryptocurrency. It’s true, this is part of the job. However, they also have another role that is at least equally as important: validating transactions on the blockchain.
The difference between legitimate and malicious mining
The basic difference is intent. Legitimate and malicious mining are the same in almost every sense except who gets paid and whether the person who owns the device performing the mining willingly chooses to participate. It’s easy to understand the concept of the crooks wanting you to do the hard work and they take all the proceeds.
That’s why cryptojacking has exploded with the growth in the value of cryptocurrencies in the market. Crooks see an opportunity to make “free money” off the back of your hard work. And how do they achieve this? They manage to get cryptomining code onto your device, and without your permission and knowledge, immediately set your device working as a part of their malicious pool.
The business implications of cryptojacking
Cryptojacking might sounds relatively harmless at first – it doesn’t need to read your personal data, or even to access to your file system. However, the downsides are still very significant:
- Unbudgeted operating expenses from powering computers to work for someone else.
- Opportunity costs because legitimate works gets slowed down. If you think your computer is slow now, wait until you get cryptomining software on it!
- Security risks from who-knows-what untrusted programs and network connections.
- Reputational and regulatory costs of reporting, investigating and explaining the cryptomining activity.
- Ethical concerns of allowing employees to mine using your resources.
These risks are real, and you need to decide if your business can afford to ignore these risks. Your business needs to form an opinion on what is your policy on cryptomining. While the view on cryptojacking is simple – it should never be allowed – the view on legitimate mining varies from business to business.