Jump to
SCC Cryptomining Protection Program

Security Command Center Cryptomining Protection Program

Program overview

Google provides Security Command Center Premium customers with financial protection to defray the Compute Engine VM costs related to undetected and unauthorized cryptomining attacks in their Compute Engine VM environment. To participate in this program, customers must follow Security Command Center Cryptomining Detection Best Practices to reduce the risk of a successful attack, and abide by the program terms and conditions below. 

If Google or Security Command Center Premium fail to detect and notify the customer of a cryptomining attack in the customer’s Compute Engine VM environment, and the customer experiences Compute Engine costs resulting from the undetected attack, the customer can request Google Cloud credits within 30 days from when the attack began to cover the unauthorized Compute Engine costs.

Google will work with the customer to determine the Compute Engine costs incurred as a result of the cryptomining attack. The maximum amount of credits issued under this program to any customer will not exceed $1 million USD in any 12-month period.

Google’s responsibility is limited to detecting and notifying customers of cryptomining attacks. Attack response and remediation remain the customer’s responsibility.

If the customer’s Security Command Center Premium deployment produces a detection finding relating to a cryptomining attack on a Compute Engine VM of the customer, or Google otherwise sends a notification to customer warning that suspected cryptomining activity has been detected in their Compute Engine VM environment, customer will not be entitled to any credit for costs incurred after the finding or notification.

Security Command Center Cryptomining Protection Program

Program coverage

This protection program is based on Google’s investment in cryptomining detection technology as part of Security Command Center Premium’s Virtual Machine Threat Detection (VMTD) service. As such, this program only covers Compute Engine VM types and compute environments supported by VMTD. 

Program coverage includes:

  • Undetected and unauthorized cryptomining occuring in Linux-based Compute Engine instances. 

Program coverage excludes all other Google Cloud services, including without limitation:

  • Windows VMs
  • Confidential Compute VMs
  • Google Kubernetes instances
  • App Engine instances
  • Cloud Run
  • Cloud Functions

Security Command Center Premium customers are encouraged to monitor usage of Google Cloud services not covered by this program to reduce the risk of undetected cryptomining attacks.

This program does not cover cryptomining activity initiated by the customer. Running cryptomining software in Google Cloud is a violation of Google Cloud Platform Terms of Service.

Security Command Center cryptomining detection best practices

Below is the list of best practices you must review and follow to be eligible for the program. See Security Command Center Cryptomining Detection Best Practices for more information.

To help customers check if these best practices are implemented in their environment, Google Cloud security experts have published this validation script, the output of which is only visible to the customer.

Cryptomining detection methods and notifications

Customers will be notified of cryptomining attacks in their Compute Engine VM environment by Security Command Center producing one or more Stage 0 or Stage 1 detection findings.

Stage 0 detection findings are leading indicators of a cryptomining attack and provide control plane visibility into an imminent or on-going attack. Stage 1 detection findings are positive indications of cryptomining attacks.

Stage 0 Detection Findings

  • Account Has Leaked Credentials
  • Defense Evasion: Access from Anonymizing Proxy
  • Initial Access: Dormant Service Account Action

Stage 1 Detection Findings

  • Malware: Cryptomining Bad Domain (Event Threat Detection)
  • Malware: Cryptomining Bad IP (Event Threat Detection)
  • Execution: Cryptocurrency YARA Rule (VM Threat Detection)
  • Execution: Cryptocurrency Mining Hash Match (VM Threat Detection)
  • Execution: Combined Detection - YARA Rule and Hash Match (VM Threat Detection)

Alternatively, Google may notify the customer that Google has detected possible cryptomining activity in their environment.

Producing a Stage 0 or Stage 1 Security Command Center detection finding, or otherwise sending a notification to the customer, fulfills Google’s notification responsibility under the terms of this program. 

If there is a delay from the time an attack begins until Security Command Center produces a detection finding, or from when Google otherwise sends a notification to the customer, the customer may request credits for the excess Compute Engine costs from the beginning of the attack until notification. Please review Security Command Center Cryptomining Detection Best Practices for more information. 

Sharing attack information

To qualify for Google Cloud credits under the program, upon request customer must:

  • submit evidence reasonably demonstrating the occurrence of a cryptomining attack, such as event logs and/or anomalous Compute Engine costs, and 

  • represent and provide evidence reasonably demonstrating that customer was following Security Command Center Cryptomining Detection Best Practices for this program as described at Security Command Center Cryptomining Detection Best Practices and did not receive a finding or other notice from Google regarding the cryptomining attack.

After Google confirms that a Security Command Center Premium customer has experienced an undetected cryptomining attack in their Compute Engine VM environment, the customer will be required to work collaboratively with Google Cloud security engineers to identify and share forensic artifacts to assist Google in improving its threat detection capabilities.

Requested forensic information could include images uploaded by the attacker, the cryptomining binary executed, and Cloud Audit ogs describing the adversary’s behavior during the attack. Customers will provide this information to Google upon request, and will have the opportunity to review the information requested and remove sensitive or proprietary data prior to sharing with Google.

Program terms and credits

i. Generally: These program terms supplement the Google Cloud Platform Terms of Service.  Google reserves the right to make any changes to or discontinue this program for any reason or no reason upon 30 days notice by updating this webpage. 

To qualify for Google Cloud credits under the program, the customer must file the request for Google Cloud credits within 30 days from when the attack began. 

ii. Google Cloud Credits: Google will work with the customer to determine the Compute Engine costs incurred due to the cryptomining attack, and Google will reasonably determine whether credits are due and the appropriate amount. The maximum amount of credits issued under this program will not exceed $1 million USD in any 12-month period. No other remedies, or express, implied, or statutory warranties are available (including, without limitation, warranties of merchantability and fitness for a particular purpose) in relation to this program. Google Cloud credits will only be available to the customer for the period starting with the beginning of the cryptomining attack and ending when Google provides notice of the cryptomining attack to customer. Any costs associated with the cryptomining attack following Google’s notification to the customer are not eligible for Google Cloud credits under the program. Any credits provided to customer have no cash value. All credits will expire 12 months after issue or upon termination or expiration of customer’s Google Cloud agreement.