McAfee threats report shows growth of Ransomware as a Service

Cybersecurity, News

A day after its founder dies in a Spanish prison cell, cybersecurity company McAfee Corp has released its McAfee Threats Report: June 2021, examining cybercriminal activity related to malware and the evolution of cyber threats in the first quarter of 2021.

The quarter saw cyber adversaries shift from low-return, mass-spread ransomware campaigns toward fewer, customised Ransomware-as-a-Service (RaaS) campaigns targeting larger, more lucrative organisations. A proliferation in 64-bit CoinMiner applications drove the growth of cryptocurrency-generating coin mining malware by 117%. Additionally, a surge in the growth of new Mirai-based malware variants drove increases in malware targeting Internet of Things (55%) and Linux (38%) systems.

Says Raj Samani, McAfee fellow and chief scientist:

“Criminals will always evolve their techniques to combine whatever tools enable them to best maximise their monetary gains with the minimum of complication and risk.”

“We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see Ransomware as a Service supporting many players in these illicit schemes holding organisations hostage and extorting massive sums for the criminals.”


Ransomware declined by 50% in Q1 due in part to a shift by attackers from broad campaigns attacking many targets with the same samples to campaigns attacking fewer, larger targets with unique samples. Campaigns using one type of ransomware to infect and extort payments from many victims are notoriously “noisy” in that hundreds of thousands of systems will, in time, begin to recognise and block these attacks.

By allowing attackers to launch unique attacks, RaaS affiliate networks are allowing adversaries to minimise the risk of detection by large organisations’ cyber defenses and then paralyse and extort them for large ransomware payments. This shift is reflected by the decline in prominent ransomware family types from 19 in January 2021 to 9 in March 2021. 

Despite the high profile attacks from the DarkSide RaaS group exposed in Q2 2021, REvil was the most detected in Q1, followed by the RansomeXX, Ryuk, NetWalker, Thanos, MountLocker, WastedLocker, Conti, Maze and Babuk strains.

Coin Miner Malware

While prominent ransomware attacks have focused attention on how criminals use ransomware to monetise their crimes with payments in cryptocurrency, a first-quarter 117% surge in the spread of cryptocurrency-generating coin mining malware can be attributed to a sharp spike in 64-bit CoinMiner applications.

Rather than locking up victims’ systems and holding them hostage until cryptocurrency payments are made, Coin Miner malware infects compromised systems and silently produces cryptocurrency using those systems’ computing capacity for the criminals that designed and launched such campaigns. The advantage to cybercriminals is that there is zero interaction required of both the perpetrator and the victim. While the victim’s computers may operate slower than usual due the coin miner’s workload, victims may never become aware that their system is creating monetary value for criminals. 

John McAfee found dead in prison cell


Chris Price
For latest tech stories go to