Cyber criminals have started using sophisticated infection methods and techniques borrowed from targeted attacks in order to install mining software on attacked PCs within organizations says Kaspersky Lab.
Some 2.7 million users have been attacked by malicious miners in 2017, according to Kaspersky's data. That's around 50 percent higher than in 2016 (1.87 million). But at the same time ransomware attacks have seen a decline.
Spikes in cryptocurrency values have made these attacks lucrative. Users have been falling victim as a result of adware, cracked games and pirated software used by cyber criminals to secretly infect their PCs. Kaspersky reckons the criminal groups behind the attacks have earned millions of dollars in just six months during 2017, which is comparable to the sort of income ransomware creators used to earn.
"We see that ransomware is fading into the background, giving way to miners," says Anton Ivanov, lead malware analyst, Kaspersky Lab. "This is confirmed by our statistics, which show a steady growth of miners throughout the year, as well as by the fact that cyber criminals groups are actively developing their methods and have already started to use more sophisticated techniques to spread mining software. We have already seen such an evolution -- ransomware hackers were using the same tricks when they were on the rise."
Victims are lured into downloading and installing an application with the miner installer hidden inside. This installer drops a legitimate Windows utility, with the main purpose of downloading the miner itself from a remote server. After its execution, a legitimate system process starts, and the legitimate code of this process is changed to malicious code. The miner therefore operates under the guise of a legitimate task, so it’s difficult, if not impossible, for a user to recognize if there is a mining infection. It is also hard for security solutions to detect this threat. In addition, miners mark this new process through the way it restricts any task cancellation. If the user tries to stop the process, the system will reboot, so criminals can protect their presence in the system for a longer and more productive time.
You can find out more on the Kaspersky SecureList blog.