The Shift from Ransomware to Cryptocurrency Mining

The transition that we've been seeing from ransomware to these cryptomining attacks is really driven by the attackers themselves and sort of the requirements that they have around making money. The types of attackers who use ransomware are opportunistic. They're going to infect as many people as possible because the more computers they infect, the more people they might be able to hold for ransom.

With cryptomining, it's the same kind of attackers. They want to infect as many computers as possible because every CPU that they're able to take over can contribute to solving those cryptographic puzzles and potentially making them money. One of the big advantages for cryptomining attacks over ransomware attacks is: it doesn't really matter where the computer is.

With a ransomware attack, if you infect somebody whose system is, let's say, in a small Southeast Asian nation where they don't have a lot of money to pay for the files that they want to get back, or they might not have a good mechanism to even acquire bitcoin or another currency to pay you. Even if you infect one of those computers and you encrypt all their files, the actual process of monetizing that attack, where they pay you the money back and you actually earn some income, is pretty challenging.

With cryptomining, you don't have that problem at all. Every CPU can mine coins. Every CPU, no matter where it is, no matter the income of the victim, they're in a position to actually make money with it. So that's the first thing that's driving a lot of attackers to cryptomining – the fact that they can monetize every infection.

The second thing is risk. When you look at the risk from a ransomware infection, it's actually a lot lower than other kinds of opportunistic attacks. Back in the earlier 2000s – back in 2006 through 2009 – we saw a lot of attacks using financially targeted malware, what we call banking Trojans. The kind of malware that goes in and steals your username and your password for your online banking account. And after they have that information, they actually log in to your account and then transfer money out of your account. And those attacks were very, very lucrative for attackers.

But they also included a lot of risk. By actually interacting with a bank, by logging into an account, transferring the money out, and then having to build up a network of what we call money mules to get that money to you, there's a lot of risk that you might actually get caught and prosecuted by law enforcement.

With ransomware, that risk is even lower. Because now, the victim has to report it to their local law enforcement, whoever they might be, and then they actually have to take action on that.

With cryptomining, the risk is even lower because the impact to the victim is relatively small. They might not even know the attack has started, or has been going on for weeks or months. All they'll really notice is that they're using a little bit more power, and there's a little bit more wear and tear occurring on their system. So, to the victim, there's a much lower impact, which means a much lower likelihood that law enforcement’s going to get involved and potentially arrest that attacker. So, this much higher number of systems that you're able to monetize, plus a much lower risk, is actually very attractive to attackers who are looking to launch these wide-scale, opportunistic attacks.