Operators behind the Cerber ransomware are currently running 161 active campaigns, which generate an estimated $2.3 million in annual revenue, according to a new report from Check Point and IntSights.
Check Point researchers have been tracking the malware since June and discovered that eight new campaigns are launched each day, on average. Their research once again reveals that the ransomware-as-a-service (RaaS) business model allows almost anyone to become a cybercriminal.
In July alone, the malware impacted around 150,000 victims in 201 countries, the CerberRing an in-depth exposé on Cerber ransomware-as-a-service report (PDF) reveals. Courtesy of this extensive infection rate, greater than that of other ransomware, the Cerber operators made an estimated profit of $195,000 during July, which translates into an estimated revenue of $2.3 million per year.
The demanded ransom is only 1 Bitcoin, which is worth around $590 at the moment. Of the $195,000 in profit made in July, approximately $78,000 went to the malware developer, while the rest was split between the affiliates. The security researchers estimate that the ransomware author gets around $946,000 per year, with little risk.
These cybercriminals enjoy high profits even if only around 3 percent of the victims purchase their decoder. The percentage depends on geography and distribution method (exploit kits, drive-by-downloads, spam), but researchers discovered that Australia, Canada, Great Britain, the United States, Germany, France, Italy, and India are the top countries for paying the ransom and purchasing the decoder.
According to the report, Cerber is proof of how large and lucrative the RaaS industry has become, as it is no longer exclusive to skilled cybercriminals who can write sophisticated code and establish a steady infrastructure. Cerber’s success relies on a large private affiliate program where the ransomware authors recruit people willing to distribute the malware to multiple machines.
Would-be hackers can head to dedicated forums to start their cybercriminal life, even if they lack the necessary technical expertise. These actors can leverage the pre-designated set of command and control (C&C) servers, along with a comprehensive and easy-to-use control interface available in 12 different languages to manage independent Cerber infection campaigns.
The IntSights Cyber Intelligence researchers observed marketing materials published on dark web forums and followed the process of recruiting affiliates. They discovered that eight new affiliates were joining the program each day, on average, and that every one of them was operating a different campaign.
The security researchers also explain that Cerber affiliates have become successful money launderers. The malware’s authors ask victims to pay the ransom in Bitcoin and they create a unique wallet for each victim. By using a mixing service that relies on a web of tens of thousands of Bitcoin wallets that are almost impossible to be tracked individually, the ransomware authors receive their ransom payment without risking being caught, after which they transfer a certain percentage to the affiliates’ accounts.
Check Point researchers believe that the Cerber ransomware is of Russian origin, mainly because it avoids infecting computers in specific countries, usually avoided by Russian malware: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan. Over the past month, Cerber targeted victims in 201 countries and territories, according to the report.
“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry. While extensive, this research also reveals a small piece of the larger global threat taking place as hackers use strategies like Cerber to increasingly target businesses and individuals. It is our hope fellow security vendors and malware research professionals take the proper precautions and deploy relevant protections,” Neatsun Ziv, Vice President of Threat Prevention at Check Point, said.
The security researchers were also able to find a weakness in the implementation of the decryption process. While they wouldn’t reveal the specifics, since it would make it easy for the malware developers to apply a fix, Check Point researchers did exploit this weakness to create a decryption tool.
Related: Cerber Ransomware Morphing Every 15 Seconds
Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal
Related: Shade Ransomware Updated With Backdoor Capabilities