Spread via torrents and direct downloads of pirated games, Crackonosh hijacks a computer to convert it into a crypto mining rig. Roughly 220,000 cases have been reported worldwide, with estimates that the scam has netted over $2 million in Monera cryptocurrency for its unknown authors. While versions of Crackonosh have been in circulation since 2018, the recent spike in cases has put it on security researchers’ radars. “This malware typically is distributed via torrents and executables geared toward gamers,” said Bryan Hornung, CEO of Xact IT Solutions, in a direct message to Lifewire. “Gamers’ systems typically have more processing power, which generates more revenue for the cybercriminals.”

Monsters of Code

According to Avast’s Daniel Beneš, Crackonosh’s code suggests its author might be Czech. That resulted in its nickname, which is a nod to the Krakonoš, the Czech name for a mountain spirit from Polish, German, and Bohemian folklore. As a malware package, Crackonosh is remarkably specific. There’s been no evidence of data loss or theft from infected systems. If your computer’s been hit with Crackonosh, at least your local files aren’t at risk. It’s also easy to avoid, as these things go. At time of writing, the only confirmed method of spread for Crackonosh is via pirate software sites, which offer free “cracked” downloads for popular PC games such as Grand Theft Auto V, NBA 2K19, Far Cry 5, and the 2018 Call of Cthulhu. Some of those downloads are infected with Crackonosh. “This is the sort of thing where prevention is the best cure,” said Christopher Budd, senior global threat communications manager at Avast, in a Zoom call with Lifewire. “This is what happens when you try to get something for nothing. You download it, you get the game, and you get free coin-miner software at no extra charge.”

How It Gets on, and How To Get It Out

When a user tries to install a pirated game with the Crackonosh malware on Windows 10, Crackonosh alters the computer’s registry to give itself permission to start in Safe Mode. It then forces the computer to boot into Safe Mode on its next startup, which disables most anti-virus software, so Crackonosh can target and delete any countermeasures that might be present. It also replaces the Windows Security icon in Windows 10 with an identical fake, so users might not notice it’s missing right away, and disables Windows Update so the OS won’t automatically reinstall Windows Defender. At this point, a user still can use their computer, but it’s likely to be slowed down dramatically by the demands of the mining software. It’s also completely unprotected from any other viruses or malware that might come along in the meantime. If you’re looking to get rid of Crackonosh from an infected system, it’s a tall order, requiring you to hunt down and delete multiple files, scheduled tasks, and even registry keys. It’s arguably a lot easier to simply format your drive and reinstall Windows, although Avast has provided a guide on its official blog on how to remove the Crackonosh malware from your computer. “It takes a lot of steps,” said Budd. “You’re doing a lot of tooling by hand to get rid of this. I’ve done some support in my day, and this is not something I’d want to walk someone through on the phone.” Research is continuing on Crackonosh now, although it’s been slowed down for an obvious reason: not a lot of people are inclined to share how their illegal downloads are responsible for an illegal thing happening to their computer. However, it’s not something you can catch at random, which takes away some of the threat. Crackonosh doesn’t perpetuate through email chains, ad banners, or dodgy websites. There’s only one way to get it, and that’s by going out and actively trying to commit software piracy. “As my mother used to joke,” said Budd, “a man goes into the doctor and says, ‘Doctor, it hurts when I do this.’ The doctor says, ‘Well, then don’t do that.’ If you and all the users of your system don’t download cracked software, you don’t have to worry about this one.”