In the world of digital thievery, a business model pivot is apparently underway.
Over the past year cybercriminals have shifted their focus from ransomware attacks to so-called cryptojacking. That’s the marquee finding out of a new threat report published by IBM this week: Instances of the former money-making scheme were down 45% in 2018, while occurrences of the latter surged 450% in the same timespan, per IBM’s data.
Whereas with ransomware, hackers were locking up victims’ computer files and reinstating access only after being paid a ransom, cryptojacking has involved hijacking people’s computers to “mine,” or run programs that produce, cryptocurrency. These mining scams have been caught everywhere from websites of the U.S. court system, to Google Chrome extensions, to Tesla’s cloud-computing infrastructure, and beyond.
I spoke about the implications of the trend with Charles Henderson, who leads the hacking team that produced the research, IBM’s X-Force Red. (“I like to tell people that X-Force Red is a new shade of IBM blue,” Henderson says, with a touch of Texas drawl, of his not yet 3-year-old unit.)
Henderson views the criminal underground’s turn toward cryptojacking as a bit of fine-tuning in the quest for profits. “This isn’t the Olympics, there are no style points…there are no sharks with lasers on their heads,” Henderson says. Instead of pursuing fancy hacking flourishes, criminals are interested solely in the easiest path to ROI, or return on investment, he says.
Because cryptomining is less disruptive to consumers and businesses than extortion, it’s a sounder means of generating revenues. “With the extortion racket of ransomware, you lose the customer after one transaction, so it’s a one and done, there’s no recurring revenue—I mean its just bad business,” Henderson says.
Now the baddies have wisened up; they’ve learned the budgetary benefits of regularity and predictability. “The bane of any founder is that chunky revenue stream,” Henderson says, referring to the inconsistency of one-off ransom payments. The mining model, on the other hand, has all the advantages of subscription revenues.
One troublesome outcome of this change in tactics is that cybercriminal attacks are flying under the radar more often. “When you have a screen staring you in the face that says it’s not going to give your files back unless you pay, that is a Level One emergency,” Henderson says. But if you merely hear some complaints about slower-than-usual Internet connection speeds, as may be the case for victims of cryptojacking, that raises fewer alarms.
Ignoring this ballooning threat is, ultimately, a big mistake; the scheme could wreak considerable havoc down the road. “The criminals are setting themselves up for future expansion of their criminal enterprises,” Henderson warns.
Indeed, what consists of stealthy cryptocurrency mining today could easily evolve into schemes for cracking troves of hashed, stolen passwords for all sorts of nefarious purposes in the future. Afflicted machines could become a springboard for launching more insidious attacks. And the cryptojackers could even sell the botnets they amass to threat actors with far worse intentions.
Crime is a business, and the crooks are studying, mastering, adapting at a rapid clip. “It’s like the criminals went to ‘B’ school,” Henderson says.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.