Approx. read time: 7.9 min.
Post: IBM: Cybercriminals Are Moving On From Ransomware to Cryptojacking
IBM: Cybercriminals Are Moving On From Ransomware to Cryptojacking
The cybercrime landscape is constantly evolving. As technology advances and organizations fortify their defenses, cybercriminals innovate new strategies to exploit vulnerabilities and generate illicit income. Over the past few years, we’ve witnessed a noticeable pivot in attack preferences. Where ransomware once reigned supreme, cryptojacking is now surging as the go-to method for stealthy cyberattacks.
According to IBM’s 2019 X-Force Threat Intelligence Index, cryptojacking incidents increased by a staggering 450% between Q1 and Q4 of 2018, while ransomware attacks saw a 45% decline in the same period. (IBM X-Force) This transition is more than just a shift in tactics—it’s a reflection of how threat actors are adapting for longevity, stealth, and profitability.
In this article, we’ll explore the rise of cryptojacking, the reasons behind its rapid adoption, the real-world impact it’s having across industries, and how organizations and individuals can detect, prevent, and respond to this silent threat. By the end, you’ll understand why cryptojacking isn’t just a nuisance—it’s a red flag of deeper, more sinister breaches to come.
What is Cryptojacking?
Cryptojacking is the unauthorized use of someone else’s computer, server, or mobile device to mine cryptocurrency. Unlike ransomware, which encrypts data and demands a ransom, cryptojacking operates in stealth. The malicious software typically runs quietly in the background, hijacking CPU or GPU power to mine cryptocurrencies such as Monero (XMR), which is particularly favored due to its privacy features.
Two Primary Types of Cryptojacking
- In-Browser Cryptojacking
- This occurs when a user visits a website embedded with cryptomining JavaScript code.
- As long as the browser tab remains open, the code siphons off processing power to mine cryptocurrency.
- Often deployed via malvertising or hijacked websites.
- Malware-Based Cryptojacking
- More persistent and damaging.
- Attackers use phishing emails or drive-by downloads to install mining software directly on a device.
- Runs indefinitely until manually discovered and removed.
Both methods are highly effective because users often don’t realize they’ve been compromised. They may only notice slightly slower device performance or higher electric bills.
Cryptocurrency Mining: How It Works
Cryptocurrency mining is the process of verifying and adding transactions to a blockchain ledger, a digital and decentralized ledger that underpins cryptocurrencies. Mining requires solving complex mathematical problems using computing power. In return for this computational work, miners are rewarded with cryptocurrency.
In legitimate mining operations, individuals or companies use powerful hardware specifically designed for mining, like ASICs (Application-Specific Integrated Circuits) or high-end GPUs. However, in cryptojacking, the attacker steals these computational resources by infecting others’ devices with malicious code.
The profitability of cryptojacking depends on various factors:
- The number of infected devices
- The processing power of each device
- The duration of infection
- The market value of the cryptocurrency being mined
This is why criminals aim to compromise as many devices as possible and remain undetected for as long as possible.
Cryptojacking vs. Ransomware: A Strategic Shift
| Factor | Cryptojacking | Ransomware |
|---|---|---|
| Visibility | Low | High |
| Victim interaction required | No | Yes |
| Disruption level | Low | High |
| Revenue model | Recurring | One-time |
| Risk for attacker | Low | High |
| Detection difficulty | High | Medium |
Ransomware grabs headlines and law enforcement attention. Cryptojacking, on the other hand, is low-noise, high-yield. It enables cybercriminals to fly under the radar for extended periods, especially when deployed across a fleet of infected devices.
Charles Henderson, head of IBM’s X-Force Red, said it best: “With ransomware, you lose the customer after one transaction. There’s no recurring revenue—it’s just bad business.”
Why Cryptojacking is Rising – IBM: Cybercriminals are moving on from ransomware to cryptojacking
1. Lower Risk of Detection
Unlike ransomware, which immediately alerts the victim, cryptojacking can remain unnoticed for months. Most users don’t associate a sluggish computer or overheating device with a cybersecurity issue.
2. Recurring Revenue Model
Cryptojacking provides ongoing profits without relying on ransom payments. It’s a digital form of parasitism—leeching off computing power for as long as possible.
3. Cryptocurrency Appeal
Monero and other privacy-focused cryptocurrencies are difficult to trace. This provides criminals with an added layer of anonymity.
4. Global Availability of Processing Power
Any internet-connected device with a CPU is a potential target. This includes servers, desktops, mobile devices, IoT gadgets, smart TVs, and even Wi-Fi routers.
5. Ease of Deployment
Many cryptojacking scripts are open-source or available for purchase on the dark web. The barrier to entry is low.
Real-World Examples of Cryptojacking – IBM: Cybercriminals are moving on from ransomware to cryptojacking
Tesla’s Cloud Infrastructure
In 2018, security researchers discovered that hackers had gained access to Tesla’s Kubernetes console, which lacked password protection. Once inside, attackers deployed mining scripts using Tesla’s AWS infrastructure. (RedLock)
The Pirate Bay
The popular torrent site embedded Coinhive mining scripts on its pages, hijacking visitors’ CPU power without their consent. Though the site claimed it was a monetization experiment, backlash was swift.
UK Government Websites
In early 2018, over 4,000 government websites, including the Information Commissioner’s Office, were infected with cryptomining code via a compromised third-party plugin.
Educational Institutions
Several universities across the U.S. and Europe have been targeted due to their powerful computing labs. In some cases, students and faculty unknowingly introduced mining malware through unsecured devices.
Additional Incidents
Cryptojacking attacks have also hit:
- Healthcare institutions
- Municipal governments
- Telecom providers
- Cryptocurrency exchanges
- Online retailers
Each incident provides further evidence that no sector is immune from this growing cyber threat.
Impacts of Cryptojacking
1. Performance Degradation
Cryptojacking consumes CPU cycles, causing noticeable slowdowns. In corporate settings, this translates to decreased employee productivity.
2. Increased Operational Costs
Constant high-performance computing can lead to:
- Higher electricity bills
- Greater wear on hardware
- More frequent replacements and maintenance
3. Security Breaches
Cryptojacking indicates a successful intrusion. If attackers can deploy miners, they might also exfiltrate data, move laterally, or install more dangerous malware.
4. Reputational and Legal Risks
Publicly disclosed cryptojacking incidents can damage trust. If regulatory frameworks like GDPR or CCPA are implicated, financial penalties could follow.
Technical Deep Dive: How Cryptojacking Works
- Initial Compromise: Attackers gain access through phishing, software vulnerabilities, or supply chain attacks.
- Payload Delivery: Cryptomining malware is downloaded and installed.
- Resource Hijacking: The malware begins mining in the background, often using obfuscation to avoid detection.
- Profit Extraction: Cryptocurrency is transferred to wallets owned by the attacker.
- Persistence Mechanisms: The malware may install rootkits or run as a hidden service to maintain long-term access.
More advanced variants use fileless techniques, injecting code directly into memory to evade disk-based antivirus tools.
Detection: How to Know You’re a Victim
- Devices running hot constantly
- Unexplained CPU/GPU spikes
- Sluggish performance despite low activity
- System fans running louder than usual
- Antivirus or endpoint protection alerts
- High energy usage reports in data centers
Tools to monitor:
- Task Manager / Activity Monitor
- Sysinternals Suite (Windows)
- htop / atop (Linux)
- Browser add-ons like NoCoin or MinerBlock
- SIEM systems for anomaly detection
Prevention Strategies – IBM: Cybercriminals are moving on from ransomware to cryptojacking
For Individuals
- Install reliable antivirus software
- Update operating systems and browsers regularly
- Avoid clicking suspicious links
- Use ad blockers and mining script blockers
- Don’t install apps from unknown sources
For Organizations
- Deploy Endpoint Detection and Response (EDR)
- Monitor network traffic for anomalies
- Restrict JavaScript execution with policy controls
- Harden cloud infrastructure with access controls
- Audit logs for unauthorized processes
- Conduct regular cybersecurity training
Legal and Ethical Considerations – IBM: Cybercriminals are moving on from ransomware to cryptojacking
Cryptojacking blurs ethical lines, especially in cases like The Pirate Bay. Even with disclosed intent, using someone’s hardware and energy without consent is digital exploitation.
Legal Implications:
- Unauthorized access laws (Computer Fraud and Abuse Act)
- Data protection violations (GDPR, HIPAA)
- Potential class-action lawsuits from affected users or employees
Companies must also consider insurance implications. Many cyber insurance policies require disclosure of intrusions and may exclude losses from non-disruptive malware.
The Future of Cryptojacking
Hybrid Threats
Some attackers deploy ransomware and cryptojacking simultaneously. If the user refuses to pay, the miner still earns them money.
Mobile Devices
As mobile hardware becomes more powerful, attackers increasingly target smartphones for background mining.
AI and Machine Learning
Advanced campaigns use AI to:
- Adapt to host environments
- Select profitable mining algorithms
- Evade detection through behavior analysis
Cryptojacking-as-a-Service (CaaS)
Available on the dark web, these kits include control panels, obfuscation tools, and customer support. Prices start as low as $30.
Conclusion
Cryptojacking represents a fundamental shift in the economics of cybercrime. It’s a silent, scalable, and increasingly common method of monetization for cybercriminals. While ransomware may still dominate headlines, cryptojacking is quietly spreading across networks, devices, and cloud platforms worldwide.
The challenge is its subtlety. By the time it’s discovered, the damage—whether financial, operational, or reputational—may already be done. The best defense lies in vigilance, layered protection, and continuous user education.
Businesses and individuals alike must stop thinking of cryptojacking as a minor nuisance. In today’s cybersecurity reality, it’s often the canary in the coal mine.
Key Takeaways:
- Cryptojacking attacks surged 450% in 2018, overtaking ransomware
- Offers attackers stealth, scalability, and recurring profits
- Targets range from individuals to enterprises and governments
- Detection is difficult; impact includes cost, performance, and security gaps
- Prevention involves education, monitoring, and hardening infrastructure
Every Type of Computer Virus Explained in 8 Minutes (Video)
Related Posts
About the Author: Bernard Aybout (Virii8)
