TargetProof Logo
Back to Blog
March 15, 2025
Thomas Stone, Founder
10 min read

The Economics of Ransomware: Why Attackers Choose Mining First

The Attacker's Calculus

To understand why cybercriminals often deploy cryptocurrency miners before escalating to ransomware, we need to examine the risk-reward calculations that drive their decision-making. Cybercrime, like any business, operates on economic principles of profit maximization and risk management.

The Risk Spectrum

From an attacker's perspective, different types of cyberattacks carry varying levels of risk:

  • Cryptojacking (Low Risk): Unauthorized cryptocurrency mining typically flies under the radar, generating steady income without drawing significant attention from law enforcement.
  • Data Theft (Medium Risk): Stealing sensitive information carries more risk but can be monetized through various channels.
  • Ransomware (High Risk): Deploying ransomware immediately announces the attacker's presence, triggers incident response procedures, and often attracts law enforcement attention.

The Revenue Model

The financial returns from these attack types follow a different pattern:

  • Cryptojacking: Provides steady, predictable income over time
  • Data Theft: Requires finding buyers or exploiting the data, with variable returns
  • Ransomware: Offers potentially large, immediate payouts but with significant uncertainty

Given these dynamics, many attackers adopt a staged approach, starting with lower-risk activities and escalating only when necessary or when a particularly valuable target is identified.

The Cryptojacking-to-Ransomware Pipeline

Our research at TargetProof has identified a clear pattern where the same threat actors who deploy cryptocurrency miners will later deploy ransomware, particularly when their mining operations are discovered and terminated. This pattern reveals several key insights:

1. Shared Infrastructure and Access Methods

The technical requirements for deploying miners and ransomware are remarkably similar. Both require:

  • Initial network access
  • Privilege escalation
  • Persistence mechanisms
  • Command and control infrastructure
  • Evasion of security controls

Once an attacker has established this infrastructure for mining, pivoting to ransomware requires minimal additional effort.

2. Economic Incentives for Escalation

When a mining operation is discovered and shut down, the attacker faces a critical decision point:

  • Abandon the compromised network and find new targets
  • Attempt to re-establish mining operations
  • Escalate to ransomware to extract value before losing access

The economics often favor the third option, especially if the attacker has already mapped the network and identified valuable data or critical systems.

3. Risk Calculation Changes

Once detected, the risk profile of the operation fundamentally changes. The attacker knows that:

  • Their presence is already known
  • Security teams are actively working to remove them
  • The window for monetization is closing rapidly

In this scenario, ransomware becomes a rational economic choice. The incremental risk of deploying ransomware is relatively small compared to the potential reward, especially since the attacker is likely to lose access to the network regardless.

Case Study: From Mining to Ransomware

In a recent incident investigated by our team, a manufacturing company discovered cryptocurrency miners running on several servers. Within 48 hours of removing the miners and beginning remediation efforts, the organization was hit with a ransomware attack using the same access vector.

Analysis of the command and control infrastructure confirmed that both the mining operation and the ransomware were deployed by the same threat actor. This pattern has been observed repeatedly across industries, confirming our theory about the relationship between these attack types.

The Profitability Equation

To understand the economics more concretely, let's examine the potential returns from both attack types:

Cryptocurrency Mining Revenue

A compromised enterprise network with 100 systems might generate approximately:

  • $5-15 per day per system (depending on hardware specifications)
  • $500-1,500 daily across the network
  • $15,000-45,000 monthly if undetected

This revenue stream continues as long as the mining operation remains undetected, with minimal ongoing effort from the attacker.

Ransomware Revenue

The same network, if hit with ransomware, might face a ransom demand of:

  • $100,000-$500,000 for a mid-sized enterprise
  • $1-10 million for larger organizations
  • Higher amounts for organizations in critical sectors or with particularly sensitive data

However, this is a one-time payment with significant uncertainty about whether the victim will pay.

The Strategic Implications

Understanding this economic relationship between cryptojacking and ransomware has profound implications for cybersecurity strategy:

1. Early Detection is Critical

Identifying and removing cryptocurrency miners isn't just about protecting computing resources—it's about preventing potential escalation to ransomware. Organizations should treat cryptojacking as a serious security incident that may presage a more damaging attack.

2. Comprehensive Remediation is Essential

When miners are discovered, simply removing the malicious software is insufficient. Organizations must identify and close the initial access vector and conduct a thorough investigation to ensure the attacker hasn't established additional persistence mechanisms.

3. Heightened Alert During Remediation

The period immediately following the discovery of miners is a high-risk window for ransomware deployment. Security teams should implement enhanced monitoring and controls during this time to detect and prevent escalation attempts.

Conclusion

The economics of cybercrime help explain why attackers often choose to deploy cryptocurrency miners before escalating to ransomware. By understanding this relationship, organizations can better protect themselves by treating cryptojacking as an early warning sign and taking appropriate measures to prevent escalation.

At TargetProof, we continue to monitor these patterns and develop solutions that help organizations detect mining operations early, respond effectively, and prevent the devastating impact of ransomware attacks. Our mining detection service and anti-ransom cryptocurrency reserve strategy provide a comprehensive approach to addressing this evolving threat landscape.