KSNReport:Ransomwareandmaliciouscryptominers2016-2018:Adisappearingspecies-abrieflookatransomwaredeclineoverayear..............................................................................5Gamechanger–howcryptocurrencyminersbeatthemall.........18Part1.PCminers.............................................................................18Part2.Mobileminers.......................................................................24Part3.Betweenblackandwhite:arerisktoolsreplacingmalware?..........................................................................................29Conclusionsandpredictions..............................................................33Fightingback.....................................................................................343ExecutivesummaryandmainfindingsRansomwareisnotanunfamiliarthreat.Forthelastfewyearsithasbeenaffectingtheworldofcybersecurity,infectingandblockingaccesstovariousdevicesorfilesandrequiringuserstopayaransom(usuallyinBitcoinsoranotherwidelyusede-currency),iftheywanttoregainaccesstotheirfilesanddevices.Thetermransomwarecoverstwomaintypesofmalware:so-calledwindowblockers(whichblocktheOSorbrowserwithapop-upwindow)andcryptors(whichencrypttheuser’sdata).ThetermalsoencompassesselectgroupsofTrojan-downloaders,namelythosethattendtodownloadencryptionransomwareonceaPCisinfected.KasperskyLabhasatraditionofreportingontheevolutionofransomware–andyoucanfindpreviousreportsonthethreathereandhere.Thisyear,however,wecameacrossahugeobstacleincontinuingthistradition.Wehavefoundthatransomwareisrapidlyvanishing,andthatcryptocurrencyminingisstartingtotakeitsplace.Thearchitectureofcryptocurrenciesassumesthat,inadditiontopurchasingcryptocurrency,ausercancreateanewcurrencyunit(orcoin)byharnessingthecomputationalpowerofmachinesthathavespecialized‘mining’softwareinstalledonthem.Cryptocurrencyminingistheprocessofcreatingthesecoins–ithappenswhenvariouscryptocurrencytransactionsareverifiedandaddedtothedigitalblockchainledger.Theblockchain,initsturn,isachainofsuccessiveblocksholdingrecordedtransactionssuchaswhohastransferredbitcoins,howmany,andtowhom.Allparticipantsinthecryptocurrencynetworkstoretheentirechainofblockswithdetailsofallofthetransactionsthathaveeverbeenmade,andparticipantscontinuouslyaddnewblockstotheendofthechain.Thosewhoaddnewblocksarecalledminers,andintheBitcoinworld,asarewardforeachnewblock,itscreatorcurrentlyreceives12.5Bitcoins.That’sapproximately$30,000accordingtotheexchangerateonJuly1,2017.Youcanfindoutmoreabouttheminingprocesshere.Giventheabove,thisreportwillexaminewhatishopefullyransomware’slastbreath,indetail,alongwiththeriseofmining.ThereportcoverstheperiodApril2017toMarch2018,andcomparesitwithApril2016–March2017.Methodology:ThisreporthasbeenpreparedusingdepersonalizeddataprocessedbyKasperskySecurityNetwork(KSN).ThemetricsarebasedonthenumberofdistinctusersofKasperskyLabproductswiththeKSNfeatureenabled,whoencounteredransomwareandcryptominersatleastonceinagivenperiod,aswellasresearchintothethreatlandscapebyKasperskyLabexperts.4Mainfindings:•Thetotalnumberofuserswhoencounteredransomwarefellbyalmost30%,from2,581,026in2016-2017to1,811,937in2017-2018;•Theproportionofuserswhoencounteredransomwareatleastonceoutofthetotalnumberofuserswhoencounteredmalwarefellbyaround1percentagepoint,from3.88%in2016-2017to2.80%in2017-2018;•Amongthosewhoencounteredransomware,theproportionwhoencounteredcryptorsfellbyaround3percentagepoints,from44.6%in2016-2017to41.5%in2017-2018;•Thenumberofusersattackedwithcryptorsalmosthalved,from1,152,299in2016-2017to751,606in2017-2018;•Thenumberofusersattackedwithmobileransomwarefellby22.5%from130,232in2016-2017to100,868in2017-2018;•Thetotalnumberofuserswhoencounteredminersrosebyalmost44.5%from1,899,236in2016-2017to2,735,611in2017-2018;•Theshareofminersdetected,fromtheoverallnumberofthreatsdetected,alsogrewfromalmost3%in2016-2017toover4%in2017-2018;•Theshareofminersdetected,fromoverallrisktooldetections,isalsoontherise–fromover5%in2016-2017toalmost8%in2017-2018;•Thetotalnumberofuserswhoencounteredmobileminersalsoincreased–butatasteadierpace,growingby9.5%from4,505in2016-2017to4,931in2017-2018.5Introduction:Adisappearingspecies-abrieflookatransomwaredeclineoverayearEarly2017witnessedadangeroustrend:cybercriminalsstartedtoturntheirattentionawayfromattacksagainstprivateusers,totargetedransomwareattacksagainstbusinesses.Focusingmainlyonfinancialorganizationsworldwide,ransomwareactorswerehuntingnewandmoreprofitablevictims.Ontheonehand,thischangeledtoransomwarebeingthe‘storyoftheyear’.Ontheotherhand,thischangeturnedouttobemoreofanisolatedsurgethanatrend.Thepastyear’smostremarkableransomwaretrendwastherapidspreadofthreatssuchasWannacryandBadrabbit.Thesewereglobalepidemicsthattrigge