Finder makes money from featured partners, but editorial opinions are our own.

Cryptojacking is now indisputably the most popular malware


Ransomware has definitively been trumped by the "user friendliness" of cryptojacking malware.

Malware is a quick-moving industry, with attackers locked in a constant arms race against defenders. As such, the prevalence of different types of attack shifts rapidly.

According to the latest Skybox Security mid-year trends report, at its peak in June 2017, ransomware was the most popular option by a long shot, accounting for over 70% of attacks. A month later, that dropped to about 30%, and now it's down to only 8%.

It's being neatly replaced by cryptojacking, which accounted for only 7% of attacks in the second half of 2017, but now makes up 32% of attacks. The tipping point might have been in December as the crypto boom drew a lot more attention to the space.

  • Ransomware is malware that holds data hostage by encrypting it and then releasing a decoder when a ransom is paid.
  • Cryptojacking is malware that infects computers with cryptocurrency miners. The computers then mine cryptocurrency, and the proceeds are sent to the attackers.

Why the sudden shift?

The abrupt shift is the simultaneous result of ransomware becoming less profitable, and cryptojacking being regarded as safer and more profitable. Both are also a kind of "entry level" malware which can be carried out by almost anyone, and can even come with helpful tips and tech support from the malware sellers. As such, a lot of former ransomware users are probably moving into cryptojacking, accounting for some of the shift.

The Fatboy ransomware product, for example, offered its users tech support and automatically adjusted its ransom in line with the Economist's big mac index to hit the sweet spot where victims would be more willing and able to pay.

The decline of ransomware

Skybox also points at the sharply declining profitability of ransomware in late 2017. As ransomware boomed, the field of "providers" got less professional and less reliable.

Increasingly, they wouldn't or couldn't release the files after a ransom was paid, would greedily set the prices too high and generally failed to reliably serve their victims/customers. With the standard of service dropping across the board, fewer people chose to pay the ransom and it got less profitable for attackers.

At the same time, countermeasures came in place. Independent researchers began to produce programs to decrypt the files and serve as "vaccines" against certain strains of ransomware. People also became more aware of the dangers and more protective tools emerged. In addition, organisations increasingly started keeping data backups, storing data remotely and using cloud hosting.

Plus, there's still the question of actually extracting payment. Ransomers would typically demand cryptocurrency, but actually getting it and transferring it was another major obstacle for customers, increasing the chances of them just writing off the data instead of paying.

The rise of cryptojacking

One of the nice things about cryptojacking, relative to less nice things, is that it's not actively that harmful. Attackers appreciate that because it means victims are more likely to shrug off an infection as a nuisance or not even know it's there.

This is perfect for cryptojacking malware, which aims to stay on systems as long as possible to maximise profits. Some newer strains of cryptojacker will even sweep for and kill off rival malware that got there first, so it doesn't have to share the victim with anyone else.

Cryptojacking also solves the payment problem by creating and delivering cryptocurrency directly. The "commercial agreements" behind cryptojackers can also be more palatable for users, taking the form of an automatic profit-sharing mechanism between the providers and the users. At the same time, it's still relatively novel so many organisations haven't started using the right precautions yet.

The right adblockers, toolbars, malware scanners and not opening suspicious attachments can greatly reduce the risk of remote cryptojacking.

It's not just for remote attackers though. Sometimes seemingly trustworthy programs will also load up crypto miners, and there have even been instances of tech support companies installing crypto miners on client computers. Those might be trickier to avoid.

Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.

Disclaimer: This information should not be interpreted as an endorsement of cryptocurrency or any specific provider, service or offering. It is not a recommendation to trade. Cryptocurrencies are speculative, complex and involve significant risks – they are highly volatile and sensitive to secondary activity. Performance is unpredictable and past performance is no guarantee of future performance. Consider your own circumstances, and obtain your own advice, before relying on this information. You should also verify the nature of any product or service (including its legal status and relevant regulatory requirements) and consult the relevant Regulators' websites before making any decision. Finder, or the author, may have holdings in the cryptocurrencies discussed.

Latest cryptocurrency news

Picture: Shutterstock

Get started with crypto

Ask an Expert

You are about to post a question on

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and 6. Finder Group Privacy & Cookies Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Go to site