Researchers have cracked open Cerber and revealed it to be one of the most lucrative ransomware-as-a-service (RaaS) platforms in the world.
“Cerber has a wide distribution, due in part to its successful use of leading exploit kits. By monitoring the actual C&C communications, we were able to create a complete view of the ransomware’s activity. Cerber is currently running 161 active campaigns, launching an average of eight new campaigns daily, which have successfully infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone.”
Exploit kits have indeed played a large part in Cerber’s distribution, though to varying degrees. The Magnitude exploit kit accounted for 84 percent of exploit kit infections, including those that resulted from a malvertising attack that struck Pirate Bay back in April. Neutrino and Rig followed at 14 percent and 2 percent, respectively.
Even so, Cerber likely derives most of its success from its affiliate program.
And why wouldn’t it? What novice computer criminal wouldn’t want to penny up the dough for access to command-and-control (C&C) servers and a control interface with up to 12 language settings, design their own campaigns, and get to keep up to 60 percent of the profits?
If that weren’t enough, most affiliates can rest assured they will never caught. Check Point explains the magic rests with how Cerber’s RaaS platform processes ransom payments, which usually amount to about one Bitcoin (or around US $590):
“The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage.”
In total, only about 0.3 percent of victims agree to pay for the return of their files. But that’s enough for the ransomware author to take in nearly one million dollars on an annual basis from the affiliate scheme alone, making Cerber one of the most profitable RaaS services around.
Check Point offers many more technical details about Cerber in a report, which is available for download here. It has also released a decryption tool for the ransomware, which Lawrence Abrams of Bleeping Computer has dissected.
Let’s hope the decryption tool receives regular updates as the ransomware continues to evolve, like it did back in June.
Just in case it doesn’t, make sure you protect yourself against Cerber ransomware infections by avoiding suspicious links and attachments, making secure backups of your important data, and by keeping your software up-to-date.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.