Ransomware and malicious crypto miners in 2016-2018
Ransomware is not an unfamiliar threat. For the last few years it has been affecting the world of cybersecurity, infecting and blocking access to various devices or files and requiring users to pay a ransom (usually in Bitcoins or another widely used e-currency), if they want to regain access to their files and devices.
The term ransomware covers two main types of malware: so-called window blockers (which block the OS or browser with a pop-up window) and cryptors (which encrypt the user’s data). The term also encompasses select groups of Trojan-downloaders, namely those that tend to download encryption ransomware once a PC is infected.
This year, however, we came across a huge obstacle in continuing this tradition. We have found that ransomware is rapidly vanishing, and that cryptocurrency mining is starting to take its place.
The architecture of cryptocurrencies assumes that, in addition to purchasing cryptocurrency, a user can create a new currency unit (or coin) by harnessing the computational power of machines that have specialized ‘mining’ software installed on them.
Cryptocurrency mining is the process of creating these coins – it happens when various cryptocurrency transactions are verified and added to the digital blockchain ledger. The blockchain, in its turn, is a chain of successive blocks holding recorded transactions such as who has transferred bitcoins, how many, and to whom. All participants in the cryptocurrency network store the entire chain of blocks with details of all of the transactions that have ever been made, and participants continuously add new blocks to the end of the chain.
Those who add new blocks are called miners, and in the Bitcoin world, as a reward for each new block, its creator currently receives 12.5 Bitcoins. That’s approximately $30,000 according to the exchange rate on July 1, 2017. You can find out more about the mining process here.
Given the above, this report will examine what is hopefully ransomware’s last breath, in detail, along with the rise of mining. The report covers the period April 2017 to March 2018, and compares it with April 2016 – March 2017.
- The total number of users who encountered ransomware fell by almost 30%, from 2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
- The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by around 1 percentage point, from 3.88% in 2016-2017 to 2.80% in 2017-2018;
- Among those who encountered ransomware, the proportion who encountered cryptors fell by around 3 percentage points, from 44.6% in 2016-2017 to 41.5% in 2017-2018;
- The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-2017 to 751,606 in 2017-2018;
- The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018;
- The total number of users who encountered miners rose by almost 44.5% from 1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
- The share of miners detected, from the overall number of threats detected, also grew from almost 3% in 2016-2017 to over 4% in 2017-2018;
- The share of miners detected, from overall risk tool detections, is also on the rise – from over 5% in 2016-2017 to almost 8% in 2017-2018;
- The total number of users who encountered mobile miners also increased – but at a steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.
This report has been prepared using depersonalized data processed by Kaspersky Security Network (KSN). The metrics are based on the number of distinct users of Kaspersky Lab products with the KSN feature enabled, who encountered ransomware and cryptominers at least once in a given period, as well as research into the threat landscape by Kaspersky Lab experts.