Published by Troy Mursch
Last updated on October 08, 2025
•
29 minute read
The cryptocurrency markets went insane late in 2017 as the value of a Bitcoin neared $18,000 USD. The end result was pure gold rush mentality in which everybody wanted to make some money on this new commodity.
Unbeknownst to many, however, this also led to the emergence of a new class of malware: cryptojacking.
Cryptojacking is the hybrid of cryptocurrency and hijacking. At its core, your computer/laptop, mobile device, or server is hijacked and used for mining cryptocurrency for the cybercriminal behind the scenes. Cryptojacking malware doesn't want to encrypt your data and ask for ransom like we often see with ransomware attacks. Cryptojacking malware wants to use your CPU and all of your processing power so it can mine for cryptocurrency coins.
Preventing cryptojacking involves using a multi-layered monitoring approach built around network monitoring, CPU usage detection, and proactive cybersecurity defense. Here is a complete step-by-step guide to preventing cryptojacking with advanced monitoring using PRTG Network Monitor and cybersecurity best practices used by enterprise IT pros.
Why Preventing Cryptojacking is Critical for Your Infrastructure
Cryptocurrency mining is a fine balancing act to ensure profitability vs costs. When malware is added into the crypto mining equation by a cybercriminal using cryptojacking malware, the entire equation's cost falls on the shoulders of the device being infected. The computing power (CPU performance) and energy/electricity cost is provided by the end users that are often unaware that illicit cybercrime is taking place on their endpoint computing devices.
Cryptojacking malware can affect any Windows device, smartphone, and even cloud services that have the ability to perform the computational math hashing needed to mine for cryptocurrency coins. While these devices may not net large amounts of Bitcoin or Monero coins, threat actors will attempt to enslave as many devices as possible to turn a profit while also causing overheating and high energy bill costs.
Preventing cryptojacking starts with continuous CPU usage monitoring and sustained resource usage detections. PRTG's sensors provide the operational visibility needed to identify cryptojacking before it impacts your infrastructure and energy costs.
How to Prevent Cryptojacking: 7 Essential Steps
Preventing cryptojacking requires implementing a defense-in-depth approach of multiple security layers. Here is your complete prevention checklist:
- Deploy Real-Time CPU Monitoring - PRTG WMI sensors to monitor sustained high CPU usages patterns and detect cryptojacking scripts
- Configure Smart Alerting - PRTG alerts you when CPU usage goes above normal baselines for extended periods of time
- Block Cryptomining Domains - Network-level blocking of known cryptojacking domains and cryptomining scripts
- Enable Browser Protection - Install cryptojacking browser extensions and ad blockers to prevent browser-based cryptojacking
- Monitor Cloud Resource Usage - Watch for unexpected increases in cloud services computing costs and CPU credits
- Update Security Software - Keep endpoint protection and antivirus software updated with cryptojacking detection features
- Educate Users - Train employees to recognize phishing email attacks and social engineering used to deploy cryptojacking malware
How to Prevent Cryptojacking with PRTG CPU Monitoring Sensors
Not long ago, I helped document a PRTG use case to monitor a set of well known websites for the removal of cryptojacking malware. In my use case, PRTG let me continuously monitor the websites so I was instantly notified when the malware was removed. The same principle applies for your own infrastructure – from bare-metal servers on premises to virtual machines running in the cloud. PRTG provides the monitoring visibility data needed to prevent cryptojacking before you are stuck with higher energy bills or cloud services compute resource overages.
Preventing Cryptojacking with PRTG Sensors: Step-by-Step Setup
Paessler has developed specialized sensors in PRTG specifically for detecting the sustained high CPU usages patterns that indicate cryptojacking. Here are numbered step-by-step instructions to create your comprehensive cryptojacking prevention monitoring setup:
Step 1: Deploy Windows CPU Monitoring Set up
Windows Management Instrumentation (WMI) CPU Load sensors for all Windows servers and workstations. These sensors will track processor performance and detect the common cryptojacking malware symptom of 24/7 high CPU usage.
Step 2: Configure Smart CPU Thresholds
Set custom CPU usage alerts specifically designed for cryptojacking detection. For example, if your server normally runs at 30% CPU load, set a threshold at 70% and require that it must be sustained for 10+ minutes. This stops false positives from normal workload spikes while also catching persistent high CPU usage caused by cryptomining malware.
Step 3: Enable Linux System Monitoring
Deploy PRTG's SSH and SNMP sensors to Linux systems. Configure SSH-based sensors to run custom scripts that check for known cryptomining processes, while SNMP sensors can provide continuous CPU monitoring.
Step 4: Set Up Cloud Infrastructure Alerts
If you use Amazon Web Services cloud services for your infrastructure, you can also use PRTG's integration with Amazon CloudWatch to add alerts for unusual EC2 CPU credit usage and patterns. Cryptojacking is a primary cause of unexpected CPU credit consumption in cloud service deployments.
Step 5: Test Your Detection System
Double check that all sensors are reporting properly and test alerting to ensure that your team is getting notified in real time when cryptojacking patterns are detected.
| Sensor Type | Detection Capability | Best Used For | Alert Threshold Recommendation |
|---|---|---|---|
| WMI CPU Load | Sustained high CPU usage patterns | Windows servers & workstations | >70% for 10+ minutes |
| SNMP CPU | Cross-platform CPU monitoring | Network devices, Linux systems | >80% for 15+ minutes |
| SSH Custom | Process-level mining detection | Linux/Unix systems | Custom script-based alerts |
| Amazon CloudWatch | Cloud resource consumption | AWS EC2 instances | CPU credit depletion alerts |
| WMI Memory | Memory usage correlation | Windows memory analysis | Unusual RAM allocation patterns |
| Network Flow | Mining pool traffic detection | Network-wide monitoring | Outbound connections to mining ports |
| Performance Counter | Real-time Windows metrics | Detailed Windows analysis | Custom counter thresholds |
| WMI Process | Specific process monitoring | Suspicious process detection | Unknown high-CPU processes |
Key Benefits:
-
Multi-layered Detection - Correlate multiple sensor types for a holistic view to prevent cryptojacking attacks
- Lower False Positives - Use CPU, memory, and network data correlation for more accurate cryptojacking alerts
- Cross-Platform Coverage - Monitor Windows, Linux, cloud services, and network infrastructure
- Immediate Alerts - Get real time notifications when cryptojacking is detected
That should give you a clear understanding of how to prevent cryptojacking with the right monitoring setup. Next let's dive into a more complete set of cryptojacking prevention best practices.
Advanced Cryptojacking Prevention Strategies
Network Traffic Analysis for Cryptojacking Prevention:
PRTG goes beyond the basic CPU and memory usage monitoring methods and provides network flow sensors that can detect cryptojacking malware by identifying outbound traffic patterns to cryptomining pools. Cryptojacking malware often creates constant, repeated outbound connections to known port ranges used for cryptomining protocols including Bitcoin, Monero, and other cryptocurrency coins.
Memory Usage Correlation:
Correlate CPU usage with PRTG's WMI Memory sensors to detect the memory usage patterns unique to cryptojacking activity. Legitimate high CPU usages usually correlate with proportional memory usage, while cryptojacking malware often has different memory allocation patterns that signal code execution for cryptocurrency mining.
Multi-Layered Detection Approach:
Build on PRTG's core sensor detection by using the Sensor Factory feature to create custom composite sensors that correlate CPU, memory, and network data into a single cryptojacking risk score. This advanced approach can lower false positives while also improving detection accuracy against more targeted cryptojacking malware.
Complete Cryptojacking Prevention Strategy Beyond Monitoring
Preventing cryptojacking requires more than just PRTG sensors, since the cybercriminals behind these attacks can also target browser-based resources, endpoint protection software, and network-level visibility. Add the following security layers to build a holistic set of prevention strategies to detect cryptojacking:
Network-Level Protection:
In addition to DNS-level filtering with updated cryptojacking domain blacklists, set up firewalls to block outgoing connections to known malicious domains and IPs. CoinBlockerLists offers a community-maintained repository of updated cryptojacking domains. Better yet, combine this list with a real time threat intelligence feed for the best possible defense against cryptojacking malware.
Browser-Based Prevention:
To prevent browser-based cryptojacking, configure your browsers to block JavaScript-based cryptocurrency mining and mining scripts. Extensions such as minerBlock can help, but it's recommended to implement enterprise browser security policies that disable JavaScript on untrusted sites to prevent cryptojacking by script-based code execution.
Endpoint Security Integration:
It is also helpful to check that your endpoint protection software and antivirus have cryptojacking-specific detection features. This is still highly recommended, but instead of relying on software alone, combine it with continuous monitoring with PRTG network sensors since cyber criminals will usually try to bypass endpoint security first. Remember to use task manager monitoring for suspicious apps and processes that might indicate the presence of cryptojacking code.
Additional Security Measures:
- Implement supply chain security and assess any third-party vendors for vulnerabilities
- Protect against malicious link clicks that could result in mining malware installation
- Consider open-source and command line tools to also check for cryptojacking work
Prevent cryptojacking before it can affect your infrastructure. Download your free PRTG trial and set up CPU usage monitoring sensors in minutes to protect your infrastructure from cryptojacking. Start Your Free Trial Now!
You there!
