Despite the profitability of ransomware there is a good reason why mining malware is thriving

Posted by    on   Sep 15, 2017

When, a few years ago, a friend and I were analysing a rather large botnet and we saw some network traffic indicating that it was engaged in Bitcoin mining, we felt rather disappointed: using malware to mine for cryptocurrencies is about as basic as it gets. It is the digital equivalent of breaking into someone's house, stealing all their books and furniture, and then burning them to use as fuel.

That was four years ago, but miners continue to thrive: Kaspersky researchers say they have seen 1.65 million infections involving mining software in 2017 alone, while ESET writes about how some malicious ads use JavaScript to mine cryptocurrencies in the browser.

Cryptocurrencies (or 'crypto', if you want to annoy the cryptography community) have seen huge increases in their value, but even at the current rates, why would someone use a compromised PC for mining purposes, when there are Bitcoin farms that use dedicated hardware to mine far more efficiently? Wouldn't every calculating cybercriminal switch to the far more profitable ransomware instead, preferring hundreds of dollars (even if not every victim ends up paying) over mere pennies?

The probable answer lies in the global distribution of malware. Cybercriminals have discovered that a few hundred dollars is the 'right' amount for a ransom: enough to generate them a good income, yet affordable for most users who really want their files back. But this is only true for users living in Western countries, on Western incomes. And the Western world is not where the majority of malware infections exist.

In its State of Malware Report (pdf) from the beginning of this year, Malwarebytes writes that almost two-thirds of botnet detections are in Asia or Africa, compared with barely more than ten per cent of ransomware detections.

 

malwarebytes_malware_continents.png

Source: Malwarebytes.


The first stage of a malware infection is often a 'loader', whose sole task is to download the actual payload. A number of factors are taken into consideration when determining which malware to download, and geographic location is prominent among them. Thus the same malicious spam email can lead to ransomware in one country and to Bitcoin mining malware in another, where ransomware is not likely to yield sufficient gains.

As human beings, cybercriminals often don't make fully rational decisions. But when it comes to using their botnets to mine for malware, there really is a simple explanation.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

The VB2019 call for papers is about ... papers

When we are calling for papers for the Virus Bulletin conference as we are doing now, we really mean a written paper. But don't worry if you've never written a paper - we can help!

VB2018 video: Adware is just malware with a legal department - how we reverse engineered OSX/Pirrit, received legal threats, and survived

Amit Serper first analysed the OSX/Pirrit adware in 2016, highlighting some of its malware-like techniques, and soon afterwards started receiving legal threats from the company behind it. At VB2018 Amit gave a presentation in which he discussed both…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.