Coin miners remediation workflow
Follow these steps to remediate a coin miner attack.
Introduction
Coin miners are executable files that steal CPU cycles and RAM to do the mining calculations for various cryptocurrencies. These malware variants are usually very stealthy because they don’t want to cause explicit harm, so they can keep the mining in the background on a device. The most common symptom is a significant degradation in a device's performance.
Confirm if it's a coin miner
First, you need to determine if you're dealing with a coin miner or some other Windows Management Instrumentation (WMI) persistence based infection. To confirm you have a coin miner infection, do as follows:
An entry shows in the WMI tab.
The screenshot below shows an example of a coin miner.

Update and patch your systems
Make sure that all your devices have the latest Windows security patches. You must make sure that you include the patch for the EternalBlue exploit.
EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB, which was used notably by the WannaCry ransomware to spread. Various malware families now use it. Patching devices and removing this infection vector makes it harder for coin miners and protects you against other malware using EternalBlue.
Microsoft released the patch for EternalBlue in Microsoft update: MS17-010. The official Microsoft article explains how to verify if a computer has the patch. See How to verify that MS17-010 is installed.
Sophos has a simple PowerShell script that you can run on individual devices to confirm if they have the patch. For more information about this, see How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.
To patch and update your devices, do as follows:
Find the coin miner
A coin miner is either an executable file or a script in the form of a scheduled task or WMI entry.
Delete the coin miner
If you have a malicious executable file, you need to remove it.
Coin miner remediation video
This video covers this workflow.