Cybercriminals are moving their focus from ransomware to cryptocurrency mining malware, going as far as repurposing their old ransomware files to mine cryptocurrencies, as the latter is reportedly a more profitable endeavor.

According to a report published by cybersecurity firm Kaspersky, cybercriminals are not only repurposing their ransomware, they’re also starting to use their botnets to get to victims. The report claims this is happening as competition in the distributed denial of service (DDoS) market was driving profits down, and users often don’t find out malware is running on their machines to mine cryptos.

Per Kaspersky, the actual costs of creating cryptocurrency mining malware are somewhat low, and cybercriminals are now using ready-to-use programs and miner builders to create their own versions. Web-based miners like Coinhave have also been growing in popularity.

Mining differs favorably for cybercriminals in that, if executed properly, it can be impossible for the owner of an infected machine to detect, and thus the chances of encountering the cyberpolice are far lower. And the reprofiling of existing server capacity completely hides its owner from the eyes of the law

Kaspersky’s report claims that cryptocurrency price drops earlier this year saw the number of infections decline as general interest in cryptos waned. The threat, however, is still there and the first quarter of this year “saw a boom in cryptominers.” The cybersecurity firm points out that evidence suggests the owners of well-known botnets are now switching to cryptocurrency miners.

The researchers pointed out that some cryptojacking malware is even behind hidden in victims’ systems. As CryptoGlobe covered, some have been doing this by masking the malware as Adobe product updates.

Cybercriminals Prefer Monero

Monero (XMR), a privacy-centric cryptocurrency accepted in most top crypto exchanges, is notably the preferred currency for cybercriminals. This, Kaspersky adds, because of its “anonymous algorithm, relatively high market value, and ease of sale.”

Monero’s proof-of-work algorithm allows it to be mined with users’ CPU resources, meaning most consumer-grade computers can give cryptojackers a profit, as they don’t pay for the hardware or the energy used.

Some estimates suggest that the cryptojacking trend has grown so much that about 5% of XMR’s total circulating supply have been illegally mined. Given the market’s slump, this would mean $50 million have been mined this way.

Notably, crypto exchanges’ know-your-customer (KYC) and anti-money laundering (AML) checks have been attempting to stop criminals from cashing in on illegally obtained funds. As reported, Changelly has revealed it may withhold users’ XMR is it deems it necessary.

Crypto Mining Malware Distribution

According to Kaspersky, cryptocurrency mining malware is distributed mainly through pirated software, as there is a correlation between its distribution and the number of miner attacks. The document notes that “the more freely unlicensed software is distributed, the more miners there are.”

Adware installers distributed using social engineering techniques are also a reported attack vector, while well-known sophisticated options are seemingly rare, and mostly used to target servers. The number of unique users attacked peaked in March of this year, and appears to have started to rise in September.

The number of unique users affected by crypto mining malwareSource: Kaspersky

Notably, cryptocurrency regulations seem to have no impact on the cryptojacking trend. Countries that restricted cryptocurrencies, including Vietnam and Algeria, are up the list when it comes to being attacked, with Vietnam coming in second place with 13% of attacks. Kazakhstan is the most affected country, with 16.75% of attacks.

The US, the UK, and Switzerland are the least affected ones, all suffering less than 2% of attacks.