As ransomware evolves, cybercriminals are finding new ways to leverage ransomware to earn money according to cybersecurity firm Kaspersky.

Kaspersky has recently identified a new type of ‘ransominer’ called XMRig miner.

XMRig miner is a cryptocurrency miner which is spread through common Trojan ransomware. It used to mine Monero cryptocurrency from a user’s device.

Cybercriminals use a common Trojan virus dubbed Trojan.Win32.Generic to remotely access a user’s device and install the miner on their device.

After running an open remote desktop protocol (RDP) on the victim’s computer, they start running the ransomware Trojan-Ransom.Win32.Crusis followed by the loader of the XMRig miner, which then begins mining Monero cryptocurrency.

“As a result, the computer would already start earning money for the cybercriminals at the same time the user saw the ransom note. In addition, RDP access allowed the attackers to manually study the victim’s network and, if desired, spread the ransomware to other network nodes,” explained Kaspersky.

According to Kaspersky’s report, in August 2020 alone there were over 5,000 attempts to install XMRig on users’ computers.

“While well-known groups make money from data theft and ransomware (for example, Maze, which is suspected of the recent attacks on SK Hynix and LG Electronics), many malicious users still want to have a high-profile impact through their cybercrime. These users are often beginners and tend to use publicly available ransomware, targeting ordinary users instead of the corporate sector. As a result, intriguing experiments can be found in the wild,” said Anton Kuzmenko, a security expert at Kaspersky.

“As protection methods improve, the developers of miners have had to enhance their own creations, often turning to non-trivial solutions. Several such solutions (previously unseen by us) were detected during our analysis of the open-source miner XMRig,” Kuzmenko further wrote in a blog post.