Threat Intelligence

The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware

Daniel Dimov
June 14, 2018 by
Daniel Dimov

1. Introduction

ISACA, an international association focused on IT governance, has recently released its annual study "State of Cybersecurity." The study relates to the year 2018 and is based on feedback provided by 2,366 security leaders. It found that, while in the last year 62% of the respondents experienced ransomware attacks, only 45% of them experienced such attacks in 2018. The data indicate that ransomware attacks may be replaced by a relatively new cybersecurity threat, i.e., cryptocurrency mining malware. In comparison with other types of malware (including ransomware), this type of malicious programs does not aim to encrypt files without authorization, turn off computer systems, or delete important system files. The purpose of cryptocurrency mining malware is to use the computer power of the infected computers for mining cryptocurrencies. Since cryptocurrency mining malware does not have an obvious impact on the infected computers, the users of those computers may not detect it for a long time.

In this article, we examine the reasons for the decline of ransomware (Section 2) and the rise of cryptocurrency mining malware (Section 3). Finally, we provide concluding remarks (Section 4).

2. The reasons for the decline of ransomware

After the WannaCry and NotPetya ransomware attacks in 2017, many companies implemented comprehensive ransomware strategies. 78% of the respondents of the study mentioned above adopted such strategies in 2018, whereas only 53% of the respondents in 2017 had such strategies. 2017 was officially declared "the year of ransomware" as a result of more than 90% increase of malware attacks that year.

After facing the strong anti-ransomware measures adopted by many organizations and the raised security awareness regarding ransomware, malware creators decided to focus their attention on new cybersecurity threats. It is worth mentioning that such threat cycles are a common occurrence in the field of cybersecurity. Similarly, to legitimate businesses, malware creators need to innovate to increase "the use of their products."

3. The rise of cryptocurrency mining malware

2017 was not only the year of ransomware but also the year of blockchain awareness. Apparently, fraudsters also became aware of the benefits of blockchain and might even have noticed that 2018 is likely to be the year of blockchain adoption. Therefore, they decided to concentrate their activities on a new cybersecurity threat, namely, cryptocurrency mining malware. To illustrate how this type of malware works, we will examine its most prominent representative, i.e., Dofoil (also known as Smoke Loader). Microsoft detected it on 6th of March 2018.

Dofoil infects computers by tricking the victims to open a Trojan that performs a process hollowing on explorer.exe. The term "process hollowing" refers to a technique for injecting code. It includes spawning a new instance of a legitimate process and replacing the legitimate code with malicious programs. More specifically, Dofoil targets c:windowssyswow64explorer.exe. The hollowed process is used for running a coin mining malware camouflaged as the legitimate Windows binary "wuauclt.exe." The coin mining malware can mine different currencies because it supports NiceHash. Microsoft analyzed a version of Dofoil which mines Electroneum coins.

To ensure that it is well hidden, Dofoil modifies the registry. The hollowed explorer.exe creates a copy of the malware in the Roaming AppData folder and, afterward, changes the name of the folder to ditereah.exe. Next, it modifies an existing registry key or creates a new one to refer to the newly created copy of the malware. In the version of the malware analyzed by Microsoft, Dofoil modified the OneDrive Run key.

It should be noted that Dofoil can connect to command and control (C&C) servers and listen to commands to download and install malware. The version of Dofoil examined by Microsoft used the decentralized Namecoin network infrastructure for C&C communications.

In the near future, we can expect an increase in the number of cryptocurrency mining malware applications. The reason is that this type of malware can secretly monetize computer resources, without blatantly manifesting itself. It just transforms the affected computer in a "golden mine" that mines cryptocurrencies until the user of the infected computer notices the malware. Many users may never notice the malware, thus becoming permanent miners.

In comparison with ransomware applications which use computer resources to spread themselves and botnets for rent which allow fraudsters to use computer resources to conduct cyber-attacks, cryptocurrency mining malware applications are less intrusive and, therefore, less detectable. However, the damages caused by cryptocurrency mining malware should not be underestimated. In January 2018, The
Financial Times announced that, in 2018, bitcoin operations may require more electricity than that used by Argentina (a country having a population of more than 43 million people). Considering that Bitcoin is just one of a large number of cryptocurrencies, we can conclude that a significant portion of world's electrical power will be spent for crypto operations.

Cryptocurrency mining malware applications, such as Dofoil and NotPetya, have the potential to cause a tremendous amount of energy expenditure which can otherwise can be used for legitimate purposes. Although the energy waste caused by cryptocurrency mining malware applications is unknown, it is likely to be significant since Microsoft found that Dofoil alone attempted to infect more than 400,000 computers within 12 hours. In addition to wasting energy, cryptocurrency mining malware applications may slow down computers and Internet connections.

4. Conclusions

This article has shown that we are currently witnessing a shift in the cybersecurity threats from ransomware to cryptocurrency mining malware applications. This trend is likely to continue as the blockchain market size is expected to grow from USD 411.5 million in 2017 to USD 7,683.7 million in 2022. The growth in the blockchain market will further increase the demand for computer resources, and hackers will attempt to benefit from the high demand by attempting to supply such resources with the aim to earn cryptocurrencies unlawfully.


1. Badkar, M., 'Bitcoin energy demand in 2018 could match Argentina – Morgan Stanley', Financial Times, 10 January 2018. Available at

2. 'Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign', 7 March 2018, Microsoft Secure. Available at .

3. 'Blockchain Market worth 7,683.7 Million USD by 2022', Markets and Markets, Press Release. Available at

4. Costlow, K., 'The Year of Ransomware: 2017 Recap and 2018 Predictions', STEATHbits, 20 November 2017. Available at

5. "Cyberthreats Increasing But Shifting, With Ransomware Attacks Down 17 Percent", BusinessWire. Available at

6. Kumar, M., 'New Cryptocurrency Mining Malware Infected Over 500,000 PCs in Just Few Hours', The Hacker News, 8 March 2018.

7. Osena, M., 'Cryptocurrency-Mining Malware: 2018's New Menace?', TrendMicro Blog, 28
February 2018. Available at

8. Zago, M., '2017 Was the Year of Blockchain Awareness. 2018 Is the Year of Adoption', Medium, 13 January 2018. Available at


Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (, a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.