Crypto mining – a malware trend that is replacing good old ransomware

Just last week we wrote about the Rakhni – crypto mining ransomware, an improved variant of a typical cryptovirus that now got a feature to work as a cryptocurrency miner, depending on how powerful the compromised computer is. Apart from being a game-changer, Rahni’s interesting combination demonstrates that the old viruses have to borrow techniques from the new threats in order to stay relevant amongst the other virtual parasites.

But why you wonder, they chose to implement cryptocurrency mining features instead of others? There are a few reasons including technical advantages, yet the main motive is the guaranteed money that the regular malware has to really fight for and the silent working principles that allow the viruses to stay unnoticed, yet generate the revenue.

What so special about crypto mining

Crypto mining also is known as crypto jacking has been originally started by the Bitcoin creator Satoshi Nakamoto and his buddy Hal Finney in 2009 when they used their home computers’ CPUs to solve then-easy problems and mine crypto coins. But soon others realized that GPUs were more powerful and could solve the complex algorithms more effective therefore in 2011 Bitcoin mining skyrocketed attracting tons of people causing mining and slowing down the process of completely gathering all possible Bitcoin (more people are mining the more problematic it gets). After that other cryptocurrencies like Monero, Etherium emerged and GPUs were replaced by even more powerful machines. More about the history of crypto mining on 99bitcoins.com.

Powerful mining machines require lots of electricity which also have a high cost, therefore in order to make money from selling mined cryptocurrency your hardware and power has to add up to the amount as low as possible. There were some lucky people that spotted such perfect making them hundreds of thousands of dollars, without them doing anything. But hackers have found ways how to get the power, machines for free and still effectively gain from mining.

The best mining malware examples would be XMRig virus or MassMiner, that infect regular user computers and stay unnoticed while using the machine and its GPU, CPU for getting that Bitcoin/Monero or etc. The only sign that the victim notices is the slower working machine. As reported on Coindesk.com in China such mining viruses hacked more than 1 million computers and made over 2 million dollars in 2 years for hackers, who did not spend a dime for electricity or mining hardware.

Why ransomware infections dropped and crypto miners increased

Skybox security released showing how radically numbers changed in the past year from 2017 and early 2018. As it was mentioned in 2017 “7 out of 10 malware payloads were ransomware” and cryptocurrency miners was rather a rare virus, however, just in a couple months, situation shifted completely dropping the ransomware numbers from 32% of all malware to just 8% (the majority of this number consisting of WannaCry infections, which according to F-secure’s is considered to be the biggest ransomware outbreak in the history), and increasing crypto miners from 7% to impressive 32%.

The main reasons why crypto demanding viruses lost the popularity so fast was the general people awareness, better data backup habits, and safer online browsing skills, education via media, cyber enthusiasts publishing free decryptors, also lost trust in hackers that after NotPetya was ruined completely since crooks after taking payment would not send the decryption keys to the victims and etc. This all slowed down hackers from collecting anonymous cryptocurrency ransom from users.

Furthermore, the ransomware requires more security and preparation in order to work rather than a Trojan miner that does not even have to interact with the victim and can stay weeks and months in infected machine unnoticed. On the contrary, even the most sophisticated ransomware must have an anonymous email address, cryptocurrency wallet, also certain design, encryption and convincing ransom message that would push the person to pay. And lastly, cryptojacking can be more profitable since it can sneak into phones too and compromise corporations.

securelist.com disclosed more numbers about the changing popularity of both types of malware:

• The total number of users who encountered ransomware fell by almost 30%, from 2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
• The total number of users who encountered miners rose by almost 44.5% from 1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
• The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-2017 to 751,606 in 2017-2018;
• The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018;
• The total number of users who encountered mobile miners also increased – but at a steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.

What to expect from ransomware and crypto miners in the future

There is no definite answer to what is going to happen to any of that malware in the near or far future. Some speculate that ransomware will continue decreasing until they will be just a nice history in the books, yet hardworking cybersecurity specialists and new, improved variants like Arescrypt and samples posted on Github, prove that at least for now there is plenty of crypto-extortionist to tame and decrypt.

As for the crypto miners, they might result in some other massive infections, but that is also finite because they have limited, unless developers keep creating new types of virtual currency.

Lastly, no matter what is the percentage of either mentioned threat, you should be careful and aware of both.