This ransomware was rewritten to mine cryptocurrency - and destroy your files

Some criminals are shifting from ransomware to cryptocurrency miners - those behind XiaoBa have rejigged the code to shift the same malware towards a different focus.
Written by Danny Palmer, Senior Writer

Cybercriminals are known to be shifting away from ransomware in favour of cryptocurrency mining, but those behind one form of malicious software have pivoted by re-purposing what was file-encrypting malware into something which now highjacks PCs for mining.

Uncovered by researchers at Trend Micro, the cryptocurrency miner is said to be "distinctly similar" to XiaoBa, a form of ransomware which first appeared in October last year, leading researchers to the conclusion that the ransomware code has been repurposed to fulfil a new task.

However, the code conversation doesn't appear to have gone smoothly, because the coinminer is also a file infector which prevents applications from working. The malware is also capable of destroying critical system files, while can render the system unusable if the infection spreads too far.

This activity isn't subtle and would likely alert the user that something is going wrong with their PC - something which those operating mining malware try to avoid in order to make profit while remaining undetected.

Researchers have uncovere two variants of the cryptocurrency-mining infecter - both use a Coinhive injection and both infected .exe, .com, .scr and .pif files, as well as disabling Windows User Account Control notification.

See also: Cryptocurrency-mining malware: Why it is such a menace and where it's going next

"It seems like the ransomware code was repurposed, adding new capabilities to make it a more destructive cryptocurrency miner," wrote Trend Micro's Don Ladores and Angelo Deveraturda.

"The malware also uses huge resources because it stacks infections, which unnecessarily takes up more disk space. Since it is also a cryptocurrency miner, it uses the device's memory resources," said researchers.

Trend Micro recommends users protect themselves from XiaoBa by having "proper security measures".

Such is the success of mining malware, it has become as lucrative as ransomware for attackers. However, while ransomware isn't as popular as it was - and some attackers, like those behind XiaoBa have abandoned it - it still remains a threat to home users and businesses.


Editorial standards