How Profitable Is Malware for Criminal Organizations?

Ever wondered if malware is profitable? If it didn’t bring in a decent amount of money, there wouldn’t be quite so much of it, that’s for sure. But figuring out how much a malware campaign makes is difficult for security researchers, not least because attackers go to such lengths to disguise their activities.

So, how much money does malware make?

How Does Malware Make Money?

The question of malware returning a profit is a common one. If someone is spending the time to develop and perfect malware, then surely there is enough money in it to put food on the table?

The answer isn’t clear-cut.

However, a report from cybersecurity firm Intezer has revealed exactly how much profit a single cryptojacking campaign is generating, providing a detailed look at an ongoing malware campaign’s internal workings.

Profitable Cryptojacking Campaign?

Cryptojacking is the process of hijacking a machine and installing crypto-mining software, using the victim’s hardware and electricity to mine cryptocurrencies.

The cryptojacking malware works silently. Most of the time, the victim doesn’t notice anything is wrong with their computer until its fans start running more frequently and any activity on the system takes ages to complete.

Intezer’s report identifies a cryptojacking campaign targeting Linux machines (no, Linux machines are not immune to malware) that had been active for around a year when the report was published in January 2021.

What may surprise some people is the extensive analysis of the cryptojacking campaign available to the attacker, with screens detailing mining activity, hash rates, daily income amounts, and more. However, in the contemporary era of malware, and especially with malware for hire schemes, management dashboards are not entirely uncommon.

Mining Monero Anonymously

In this case, the cryptojacking campaign is running two wallets, both of which were still accumulating cryptocurrency, indicating that the malware was still active. The cryptocurrency in question is Monero (XMR), a very secure and privacy-focused crypto.

cryptojacking malware campaign profit

One wallet had accumulated around 32 XMR, which is roughly $5,200 at the time of writing. The second wallet contained around 30 XMR, which is around $4,800. So, in roughly 12 months of operation, the two dashboards the Intezer team gained access to had made around $10,000 in profit.

There are caveats to this, of course. In terms of cryptojacking, the amount of profit relates to the value of the cryptocurrency. Cryptojacking malware often uses privacy-focused Monero as it is truly untraceable (unlike Bitcoin, which is pseudo-anonymous). In April 2020, 1 XMR was worth roughly $40, vastly less than the current value.

Still, cryptojacking is almost pure profit from that standpoint. The attacker uses the victim’s hardware, incurring no cost of electricity or hardware damage of their own.

Is Ransomware Profitable?

The Intezer cryptojacking campaign report is just one example. There are countless malware operations taking place worldwide, all seeking to profit in some format.

Cryptojacking, though, doesn’t grab the headlines. That role falls to one of the most notorious malware types of the 21st Century: Ransomware.

According to the EMSISOFT Cost of Ransomware blog, the average cost of a ransomware ransom demand stands at $84,000. That’s $84,000 to provide a decryption key or decryption tool to unlock data held to ransom. Otherwise, the organization may lose access to it permanently.

The blog post also states that 33 percent of companies pay the demand. For them, the cost of losing data is too high, as is the disruption to services and ongoing cost of the data loss.

Every year, businesses and other organizations pay criminals millions of dollars to unlock their data. But where you are in the world also makes a difference to your likelihood of paying the ransom. The Sophos State of Ransomware 2020 report indicates that Indian businesses pay the ransom 66 percent of the time, while only 25 percent of US businesses pony up.

sophos ransomware payment by country

Cryptocurrency Stealing Malware

So, while we’ve covered cryptojacking malware, there is also malware that exists to steal cryptocurrency wallets. When the price of Bitcoin rises, so does the number of cryptocurrency stealing malware incidents with it.

A cursory internet search for “malware stealing crypto” reveals multiple malware alerts from the past few years. The sole purpose of some malware types is to steal cryptocurrency (usually by the theft of private encryption keys used to secure the unique cryptocurrency wallet), while for others, cryptocurrency theft is a bonus or additional function.

Related: ElectroRAT Malware Targeting Cryptocurrency Wallets on Windows 10

There is no hard and fast number on how much cryptocurrency is stolen each year through malware. A mid-2019 CipherTrace report found an estimated $4 billion in cryptocurrency theft from January to August 2019, though this also includes SIM swapping, URL hijacking, cryptojacking, and other attacks.

This leads to another important point regarding cryptocurrencies. The theft doesn’t always involve consumers. High-value cryptocurrency exchanges are prime targets for criminals and account for a large volume of lost cryptocurrency. That $4 billion figure also accounts for Bitfinex, a major exchange, “losing” $851 million worth of cryptocurrency.

Staying Safe From the Malware Ecosystem

Malware is an all-encompassing word. It applies a broad stroke to what is more nuanced. The malware ecosystem covers multiple types, many of which will use different attack vectors to access a system.

Then there is the question of why the attacker is there. Are they stealing data to sell at a later date? How about stealing data for blackmail? Or are they forcing a user to buy useless antivirus software, stealing their banking information in the process?

The combination of threats is substantial. Here’s a shortlist of common malware threat types:

  • Ransomware: As above, the attacker encrypts the contents of your computer and demands a ransom to unlock them.
  • Stealing Data: An attacker acquires a vast amount of data from a private service and sells access to it to the highest bidder (or even just a flat rate, as seen in many cases). Alternatively, an individual is targeted, their data is stolen, then blackmailed.
  • Stealing Logins: Somewhat of an extension of stolen data, but the attackers sell login credentials for accounts, such as PayPal, banks, Instagram, and so on.
  • Pay-per-Click: The attacker infects the target computer and manipulates internet traffic to hit sites the criminals own, featuring a wealth of adverts.
  • Fake Software/Pop-ups: Fake software, particularly antivirus programs, are a common source of income. The malware displays pop-ups advising you that you have an infection and the only way to clear it is to purchase the suggested antivirus. Not only does the antivirus program not work, but you could also lose your bank information in the process.

These are just five common methods of how malware is profitable for attackers. There are countless more variations and combinations to be used together.

So how do you stay safe? Start with our online security guide, featuring countless tips to stay safe against malware and the numerous other scams waiting out there.

The Best Antivirus Software for Windows 10

Want to tighten security on your PC? Here are the best antivirus software options for Windows 10.

About The Author