Researchers Uncover Cerber as Largest Ransomware-As-A-Service Ring

Journalist:
Rebecca Campbell
August 17, 2016

Check Point researchers have discovered the sophisticated organization of Cerber, a Ransomware-as-a-Service (RaaS), which is reported to have had a total estimated profit of $195,000 in July alone.

Based on data collected by the researchers they found that the RaaS ring currently runs 161 active campaigns, infecting around 150,000 victims in 201 countries in the month of July. With eight new campaigns launched on a daily basis, it targets computer users with a new variant of the Cerber ransomware.

According to researchers, the average ransom payment is one bitcoin, currently worth around $590, to decrypt files locked by the Cerber ransomware. If the deadline is not met, the ransom is doubled to two bitcoins.

They also found that the malware authors receive 40 percent of the profit while 60 percent is paid out to associates who discover new targets. On a yearly basis, the ransomware author is estimated to take $946,000.

Highest Number of Infections

The highest number of infections and payments are located in The Republic of Korea (South Korea); however, while the U.S. ranks fourth in the number of infections, it ranks second in the highest number of payments.

The research found that only 0.3 percent of those targeted actually paid the ransomware demand in July as opposed to the advertized 0.5-3 percent. Of course, while these numbers are low, they still produce a significant profit for the ransomware hackers.

Following the Money Trail

Even though RaaS rings are nothing new what sets this Cerber ransomware apart from the others is the fact that it incorporates the use of bitcoin in a money laundering technique known as bitcoin mixing to remain untraceable.

When a person uses bitcoin it allows the users to maintain their anonymity when making purchases. However, while bitcoin wallets can’t be linked back to a user’s bitcoin wallet, activities are available publicly through its distributed ledger, blockchain.

As a consequence, bitcoin wallets with a large number of bitcoins and frequent daily transactions may draw too much attention which in turn could lead to the identification of a ransomware author’s account in addition to its associates.

In a bid to prevent their identities from becoming known a bitcoin mixing service is utilized. This allows a ransomware author to transfer bitcoin and receive the same amount back to a wallet that can’t be traced back to the original owner. The process of mixing money uses tens of thousands of bitcoin wallets, making it almost impossible to track down the individual responsible. Not only that, but according to the research, the individual can divide the money among several bitcoin wallets at the end of the mixing process.

New Variant of Cerber

According to the researchers, the attackers are utilizing a new variant of Cerber, known as Cerber 2, which was released July 29.

Since its first appearance in February 2016, Cerber ransomware has quickly become one of the most widespread ransomware variants. It is known for its ability to ‘speak’ its ransom notes to victims. With Cerber 2, it boasts several improvements such as an updated domain synchronization in the HTML version of the instructions.

Exploit Kits Provide Silent Assault

The research found that 41 percent of the overall Cerber infections executed by associates use exploit kits as part of an exploit-as-a-service while phishing emails account for 69 percent. The most notable campaign uses the Magnitude Exploit Kit, which accounts for 84 percent and primarily targets users in China and South Korea.

Featured image from Shutterstock.

Last modified (UTC): August 17, 2016 13:10

Rebecca Campbell