Check Point Software Technologies Ltd have published new findings on one of the largest active ransomware-as-a-service franchises in the world, Cerber.
The report offers an unprecedented behind-the-scenes view into the complex cyber campaign. It aims to shine a light on the growing ransomware-as-a-service industry and revealing a path researchers are now using to help individuals and businesses gain access to their encrypted files – without paying the increasingly inflated ransoms of cyber criminals.
In the 60-page report, Check Point’s Threat Intelligence and Research Team and IntSights Cyber Intelligence, identifies new details and analysis on Cerber’s technical and business operation. The report has revealed the following:
- Of all ransomware, the Cerber infection rate is significantly higher and more profitable. Cerber is currently running more than 160 active campaigns across the globe, with total annual projected revenue of approximately $2.3 million. Each day eight new campaigns on average are launched; in July alone, the research revealed approximately 150,000 victims affected in 201 countries and territories.
- Cerber affiliates have become successful money launderers. Cerber uses the Bitcoin currency to evade tracing, and creates a unique wallet to receive funds from each of its victims. Upon paying the ransom (usually one Bitcoin, which is currently worth $590), the victim receives the decryption key. The Bitcoin is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track them individually. At the end of the process, the money reaches the developer, and the affiliates receive their percentage.
- Cerber is opening the doors for more would-be hackers. Cerber enables non-technical individuals and groups to take part in the highly profitable business and run independent campaigns, using a set of assigned Command & Control (C&C) servers and a convenient control panel available in 12 different languages.
Since June 2016, Check Point and IntSight have been charting a comprehensive map of the complex system developed by Cerber, as well as its global distribution infrastructure. Researchers were able to regenerate actual victim wallets, allowing the team to monitor payments and transactions, and opening the door to track both the revenue gained by the malware and the money flow itself. Further, this information provided the blueprint for a decryption tool that could remedy infected systems without individuals or businesses bending to cyber-criminal ransom demands.
“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry,” says Maya Horowitz, group manager, Research & Development, Check Point. “Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections.”