This post is also available in: esEspañol

The wave of cryptojacking – or illegitimately mining cryptocurrencies without a user’s permission – is starting to gain relevance among hackers as they look to capitalize on the cyberjacking trend. New research concludes that old ransomware software is now being upgraded with crypto-mining patches to maximalize profits for nefarious actors.

Upgrading to Crypto

As per a report by IT Pro Today on September 5, cybersecurity firms Kaspersky Labs and Fortinet individually reported criminal instances of updating ransomware with the ability to use a victim’s computing power to mine cryptocurrencies like Bitcoin and Monero.

The dreaded Rakhni virus, a five-year-old Trojan ransomware that affected millions of users in 2013, has upgraded to mine cryptocurrencies. Once the program infiltrates a victim computer, an inbuilt protocol scans the P.C. to check for antivirus programs and other security checklists before installing a crypto mining code to mine Monero.

Kaspersky Labs researcher Egor Vasilenko stated in a blog post that upgraded ransomware programs typically scan for a “%AppData%Bitcoin” file in on the victim computer. On discovery, Rakhni additionally searches for two processors present in the system, before downloading a mining component to siphon computer power.

However, if the computer only has one processor, the malware downloads a traditional P.C. “worm” to slow down processes and demand ransom for freeing computing power.

In a similar vein, Fortinet security analysts confirmed the discovery of a crypto mining-enhanced Jigsaw ransomware in July 2018. The virus, initially found in April 2013, modulates Bitcoin addresses found on a victim computer by changing a user’s trusted recipient addresses to ones owned by the hackers.

As BTC addresses are an alphanumeric string of randomized characters, a sender may not necessarily remember the exact address of the recipient, leading to hackers taking advantage of the shortcoming.

The method has proven to be useful for hackers, who have reportedly changed over 10,000 bitcoin addresses to their wallets. But, the total amount of funds siphoned by such attacks remains unknown.

WannaCry’s Infiltration

Another prominent virus program has leaped to mine cryptocurrencies. WannaCry, a May 2017-deployed malware that encrypted a victim’s sensitive data and demanded bitcoin as ransom, was found to cryptojack P.Cs using a BlueExternal exploit.

The attack was dubbed WannaMine and marked a rising percentage of hackers turning to steal computing power to mine cryptocurrency networks, instead of encrypting files and bypassing antivirus software.

While ransomware iterations were the norm until 2017, the current year has seen full-fledged shifts to crypto mining-only malware. Antivirus providers McAfee, Malwarebytes, and Check Point, have all confirmed that cryptojacking attacks have skyrocketed in 2018.

The growth is unsurprising. Traditional malware required an attacker to code sophisticated programs that bypass numerous security applications and reveal their identity to extract ransom from a user. In stark contrast, a crypto jacking software runs in the background and is a relatively easy piece of code to write and distribute.

A Hacker’s Favorite?

While hackers and computer-savvy people may notice slow computer speeds and a noisy fan – two symptoms related to cryptojacking – a large part of the public ignores such fallacies. In some cases, hackers have changed mining settings to sync with a user’s wake timings – meaning a miner may steal less power during working hours and gradually increase usage after the period.

Despite the rise in cryptojacking cases, security researchers believe the trend is here to stay. Anthony Giandomenico, a senior security strategist and researcher with Fortinet, stated:

“As the cybercrime ecosystem matures, there is a lot of malicious software out there, and many times that software is leaked to others or to the public. When it’s leaked, it is usually picked up by other bad actors and either reused as is or modified or enhanced. Why reinvent the wheel when you have the wheel and you can just focus on enhancing it?”


Giandomenico added that hacking groups are using WannaCry code to create their versions of malware, usually with different settings, as nefarious groups look to capitalize on the trend while the cryptocurrency market – and a lack of crypto-specific security products – is still easy to infiltrate and siphon funds from.