Security Experts:

Connect with us

Hi, what are you looking for?



Is Cryptojacking Replacing Ransomware as the Next Big Threat?

Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education. 

Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education. 

As more and more cybercriminals have jumped on the bandwagon, ransomware as a service and dozens of variations targeting organizations across the globe have practically turned it into a commodity. As it has evolved it has leveraged new delivery channels such as social engineering, new techniques such as multi-stage attacks to evade detection and infect systems, and new methods of payment often involving fledgling cryptocurrencies. 

For example, GandCrab ransomware emerged in January with the distinction of being the first ransomware to require Dash cryptocurrency as a payment. According to Europol, it claimed 50,000 victims in less than a month. BlackRuby and SamSam were two other ransomware variants that emerged during the first quarter of 2018, with SamSam achieving special notoriety for taking down the administrative infrastructure of a major US city in March. And a separate ransomware attack, known as Olympic Destroyer, targeted the Winter Olympics just before the opening ceremonies. The U.S. government also announced the discovery of malware variants, known as HARDRAIN and BADCALL, which have been attributed to the North Korean threat team known as HIDDEN COBRA.

Ransomware volume dropped in Q1 of 2018

But in spite of these continued developments threat researchers have begun to notice some recent shifts in the ransomware trend. One measure of the success of malware is the number of organizations it is able to impact. In Q4 of 2017, for example, nine different malware varieties, including ransomware variants, had each managed to infect more than 10% of all organizations. This had been a trend for several quarters. Then suddenly, in Q1 of 2018 the number of threats that managed to crack the ‘1 in 10 organizations infected’ threshold dropped to three, and none of them were ransomware.

This sudden change prompted the obvious question of “what happened?” The short answer is, “cryptojacking happened” as two of the three malware varieties that made the 10% list were cryptojacking malware, an emerging attack vector that has seen truly remarkable growth during the first few months of 2018.

Cryptojacking affects more than 1 in 4 organizations

Cryptojacking malware grew from impacting 13% of all organizations in Q4 of 2017 to 28% of companies in Q1 of 2018, more than doubling its footprint. And the growth of this malware variety has been detected across every region of the globe. It’s rare that a threat bursts onto the scene and moves so quickly to the forefront, but that’s exactly what we’ve witnessed with cryptojacking over the last two quarters. It is also showing incredible diversity for such a relatively new threat. Cryptominers have been documented targeting multiple operating systems, and that mine for a variety of cryptocurrencies. 

There also seem to be technical links between the ransomware and cryptojacking criminal communities. For example, ETERNAL BLUE was originally used in the WannaCry ransomware exploit. It has been now repurposed for a cryptojacking campaign called WannaMine. In addition, NotPetya’s use of Mimikatz (a hugely popular credential-stealing tool used for lateral movement) has also been mimicked by recent cryptojacking campaigns. And remember that Apache Struts vulnerability that compromised Equifax last fall? Cryptominers are targeting that as well. Even the recent Drupal vulnerability already been weaponized for cryptojacking.

Of course, ransomware and cryptojacking are fairly similar in terms of how they need to penetrate and spread between systems. But this may be more than just a case of one threat copycatting another. Ransomware has some inherent limitations, such as a poor long-term strategy for leveraging existing victims for additional revenue. Once ransomware hits an organization, criminals usually move on to the next victim. 

Another of the challenges ransomware faces is that its high profile. Corporations have seen the economic and reputational impact of such a compromise, and do not want to get caught in a ransomware snare.  So IT teams are on high alert to protect their networks, and are adopting a combination of advanced malware detection, network segmentation, patching, and offsite backups to fight back. As a result, more and more organizations are now able to simply refuse to pay a ransom because they can limit the impact of a ransomware attack and quickly restore whichever segment of the network was impacted. 

All of which complicates the criminal’s job of maintaining and updating ransomware to stay ahead of existing countermeasures. Like any successful enterprise, many cybercrime organizations understand the maxim, “worker smarter, not harder.”

Cryptojacking is a very different model

Cryptojackers have clearly discovered that, if done properly, leveraging the processing power of a hijacked system to mine for cryptocurrencies can be a potentially long-term profitable venture. 

Cryptojacking uses malware (typically via a script loaded into a web browser) to steal unused CPU cycles and use them to perform cryptomining calculations. This can be done either by directly infecting a device with malware, or by indirectly stealing processing cycles when a user visits a compromised website. New cryptojacking variations inject malicious JavaScript into a vulnerable website. Victims who simply browse such an infected site will have their CPU cycles hijacked to perform cryptomining. 

Unlike ransomware, the success of this attack vector depends on not being detected. New rate-limiting variations, for example, restrict their cryptojacking malware from ever consuming more than a certain percentage of available CPU, and can even back off when legitimate usage hits a certain threshold. This allows the malware to fly under the radar of users, as it never interrupts normal device operations. 

Cryptojackers who manage to develop and maintain a network of hijacked machines and aggregate the results
through a central command and control center are able to generate revenue with only a fraction of the attention caused by ransomware. Which is why we expect continued investment and innovation in this criminal business model. 

What your organization can do

If you are worried that your systems might be mining for, and lining the pockets of cybercriminals, start by checking the Task Manager (Windows), Activity Monitor (Mac), or “top” on the Linux command line on your connected devices. Collecting and listing the processes running across your network and then cross-referencing them against lists of legitimate software or known cryptojacking malware is one way to identify and address any application that’s surreptitiously consuming resources. The challenge is that many organizations don’t even maintain a current inventory of connected devices, let alone have some way to see what applications are running or how much resources they are consuming. Which is why a centralized management, orchestration, and IoC interface is essential for any security management system or SOC.

This is part of the larger challenge that IT teams face, which is simply finding the time or tools necessary to perform these sorts of basic security hygiene activities. Far too many IT teams today are simply stretched too thin implementing digital transformation projects to focus on new threat vectors. Complicating things further, encrypted data is now nearly 60% of all network traffic, rising another 6% in Q1 of 2018 alone. As cybercriminals increasingly use SSL and TLP encryption to hide malicious code or to exfiltrate data, inspecting encrypted traffic in increasingly crucial. Unfortunately, many legacy threat detection devices and signature-based antivirus tools currently in place don’t have the horsepower necessary to adequately inspect encrypted traffic at this volume without crippling network throughput. 

Cybercriminals understand this. Which is part of the reason why they constantly shift tactics, tools, and technologies. Since organizations are unlikely to get a huge increase in budget and resources, they, like their cybercriminal enemies, also need to work smarter rather than harder. What’s needed is an and integrated automated security system that spans the distributed network to see threats and detect malware, including inspecting encrypted traffic at wire speeds, and then make autonomous decisions that can marshal all available resources to respond to those threats in real time. Until that happens, cybercriminals are likely to remain one step ahead in the security arms race. 

Written By

John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...