Security Experts:

Connect with us

Hi, what are you looking for?



Cerber Ransomware-as-a-Service Generates $2.3 Million Annually: Report

Operators behind the Cerber ransomware are currently running 161 active campaigns, which generate an estimated $2.3 million in annual revenue, according to a new report from Check Point and IntSights.

Operators behind the Cerber ransomware are currently running 161 active campaigns, which generate an estimated $2.3 million in annual revenue, according to a new report from Check Point and IntSights.

Check Point researchers have been tracking the malware since June and discovered that eight new campaigns are launched each day, on average. Their research once again reveals that the ransomware-as-a-service (RaaS) business model allows almost anyone to become a cybercriminal.

In July alone, the malware impacted around 150,000 victims in 201 countries, the CerberRing an in-depth exposé on Cerber ransomware-as-a-service report (PDF) reveals. Courtesy of this extensive infection rate, greater than that of other ransomware, the Cerber operators made an estimated profit of $195,000 during July, which translates into an estimated revenue of $2.3 million per year.

The demanded ransom is only 1 Bitcoin, which is worth around $590 at the moment. Of the $195,000 in profit made in July, approximately $78,000 went to the malware developer, while the rest was split between the affiliates. The security researchers estimate that the ransomware author gets around $946,000 per year, with little risk.

These cybercriminals enjoy high profits even if only around 3 percent of the victims purchase their decoder. The percentage depends on geography and distribution method (exploit kits, drive-by-downloads, spam), but researchers discovered that Australia, Canada, Great Britain, the United States, Germany, France, Italy, and India are the top countries for paying the ransom and purchasing the decoder.

According to the report, Cerber is proof of how large and lucrative the RaaS industry has become, as it is no longer exclusive to skilled cybercriminals who can write sophisticated code and establish a steady infrastructure. Cerber’s success relies on a large private affiliate program where the ransomware authors recruit people willing to distribute the malware to multiple machines.

Would-be hackers can head to dedicated forums to start their cybercriminal life, even if they lack the necessary technical expertise. These actors can leverage the pre-designated set of command and control (C&C) servers, along with a comprehensive and easy-to-use control interface available in 12 different languages to manage independent Cerber infection campaigns.

The IntSights Cyber Intelligence researchers observed marketing materials published on dark web forums and followed the process of recruiting affiliates. They discovered that eight new affiliates were joining the program each day, on average, and that every one of them was operating a different campaign.

The security researchers also explain that Cerber affiliates have become successful money launderers. The malware’s authors ask victims to pay the ransom in Bitcoin and they create a unique wallet for each victim. By using a mixing service that relies on a web of tens of thousands of Bitcoin wallets that are almost impossible to be tracked individually, the ransomware authors receive their ransom payment without risking being caught, after which they transfer a certain percentage to the affiliates’ accounts.

Check Point researchers believe that the Cerber ransomware is of Russian origin, mainly because it avoids infecting computers in specific countries, usually avoided by Russian malware: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan. Over the past month, Cerber targeted victims in 201 countries and territories, according to the report.

“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry. While extensive, this research also reveals a small piece of the larger global threat taking place as hackers use strategies like Cerber to increasingly target businesses and individuals. It is our hope fellow security vendors and malware research professionals take the proper precautions and deploy relevant protections,” Neatsun Ziv, Vice President of Threat Prevention at Check Point, said.

The security researchers were also able to find a weakness in the implementation of the decryption process. While they wouldn’t reveal the specifics, since it would make it easy for the malware developers to apply a fix, Check Point researchers did exploit this weakness to create a decryption tool.

Related: Cerber Ransomware Morphing Every 15 Seconds

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Related: Shade Ransomware Updated With Backdoor Capabilities

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.