Like most non-criminal people, attackers are pretty much just looking for ways easy ways to make money. For years, this meant stealing credit card numbers, Social Security numbers, or bank account credentials and then cashing them out, either selling them in batches on the underground or withdrawing money themselves. That’s still a decent business for some sections of the underground, but card issuers and banks have stepped up their security in the last few years and it’s becoming more difficult to make the large sums that were common five or 10 years ago.

More recently, ransomware has been the go-to move for ambitious bad guys. Ransomware-as-a-service offerings have sprung up, allowing even low or no-skill attackers to rent or buy ransomware variants, rig up some malicious sites or phishing emails, and then sit back and wait for the money to roll in. The number of ransomware variants circulating has exploded in the last few years, and some large-scale infections such as WannaCry have taken down large corporations and caused millions of dollars in damage. In response, the FBI, Europol, and other law enforcement agencies around the world have been focusing on taking down ransomware gangs and the infrastructures they use, with some notable successes.

And now some attackers have shifted tactics again to focus on mining magic Internet money. Researchers have been tracking a number of threat groups in recent months that are compromising large numbers of machines or IoT devices and installing specialized software designed to mine various cryptocurrencies. Cisco’s Talos research team this week took a deep dive into the world of malicious cryptominers and found that there is some serious money to be made in this weird new world. The table stakes for this game are low, and the payoffs can be quite high.

“The biggest reason of them all is the potential monetary payout associated with mining activity. If it didn't generate a profit, the bad guys wouldn't take advantage of it. In this particular vein malicious miners could be a pretty large source of revenue. The biggest cost associated with mining is the hardware to mine and the electricity to power the mining hardware. By leveraging malicious miners attackers can take both of those costs out of the equation altogether. Since they are able to take advantage of computing resources present in infected systems, there is no cost for power or hardware and attackers receive all the benefits of the mined coin,” Cisco’s Talos team wrote in a long analysis of the trend.

“An average system would likely compute somewhere around 125 hashes per second. One system alone without any hardware or electricity cost would generate about $0.25 of Monero a day, which doesn't seem like a lot but when you start pooling systems the amount of earning potential increases rapidly. Some of the largest botnets across the threat landscape consist of millions of infected systems under the control of an attacker. Imagine controlling a small fraction of the systems that are part of one of these botnets (~2,000 hosts). The amount of revenue that can be generated per day increases considerably to more than $500 in Monero per day or $182,500 per year.”

That’s serious money, and with exactly the kind of effort that attackers like most: not much. Cryptomining has a number of other advantages for attackers, including the fact that once an attacker has a cryptominer on a machine, it’s unlikely that the victim will ever notice it. Also, this kind of malware can be delivered through existing criminal infrastructure, such as phishing campaigns or compromised sites. Some groups are using exploit kits to compromise target machines and install their miners, as well.

Cryptomining is the logical extension of both malware and cryptocurrency and it looks like it’s here to stay.

“Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue. It's not going to generate large sums of money for each individual system, but when you group together hundreds or thousands of systems it can be extremely profitable. It's also a more covert threat than ransomware,” the Talos team said.