pixel_dreams - Fotolia

Cerber ransomware service reaps $195,000 profit in a month

Franchises such as Cerber are making highly profitable ransomware available to a broader range of cyber criminals, according to a report by security firm Check Point

The Cerber ransomware service infected 150,000 devices and extracted $195,000 in ransom payments in July 2016, according to security company Check Point.

The Cerber operation is a franchise that supplies ransomware as a service and is believed to be based in Russia. Check Point said there were 160 Cerber campaigns running in 201 countries, excluding the 12 former Soviet Union countries.

Cerber is the world’s biggest ransomware as a service scheme, according to Check Point researchers, who compiled a report on its operations.

The ransomware developer appears to recruit affiliates that spread the malware in return for a 60% cut of the profits and an additional 5% for recruiting a new member. Researchers estimate that the malware authors are making an annual profit of $946,000.

The Cerber operation uses a “maze” of thousands of bitcoin accounts, they said, that allow its franchisees to launder the ransom money they receive.

Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns using a set of command and control servers and an easy-to-use control interface available in 12 languages.

This means that the highly profitable business of ransomware is no longer reserved for skilled attackers who can write sophisticated encryption schemes and establish a steady infrastructure.

With Cerber, unskilled actors without the required technical knowledge can easily connect with developers in various closed forums. For a small payment, the would-be attackers obtain an undetected ransomware variant. Then, they can easily manage their active campaigns through a basic web interface, the research report said.

Bitcoin blurring

Cerber uses bitcoins to evade tracing, and creates a unique bitcoin wallet for each of its victims. 

Like all ransomware, Cerber encrypts victims’ data and demands payment of 1 bitcoin ($569) in return for a decryption key to unlock the data. 

Victims in Australia, Canada, the UK, the US, Germany, France, Italy and India are most likely to pay the ransom, the report said.

The ransom is transferred to the malware developer and affiliates and passed through thousands of bitcoin wallets, the researchers said, making it almost impossible to trace individual payments.

Not reserved for nation states

“This research provides a rare look at the nature and global targets of the growing ransomware as a service industry,” said Maya Horowitz, group manager for research and development at Check Point.

“Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily.

“As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections.”

Cerber decryption tool

Check Point has developed a Cerber decryption tool, available at: https://www.cerberdecrypt.com/RansomwareDecryptionTool/  

Victims simply upload a single file that has been encrypted by Cerber, the company said, and then download the decryption tool together with a private decryption key to unscramble their files.

Ransomware has grown rapidly in popularity with cyber criminals since mid-2015, and has emerged as one of the top cyber threats in 2016.

In July 2016, the Dutch police, Europol, Intel Security and Kaspersky Lab launched a joint initiative to fight ransomware.

No More Ransom is an online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay a ransom to cyber criminals.

Read more about ransomware

  • Security researchers at Kasperky Lab and FireEye confirm that the upward trend of ransomware is continuing and has emerged as a top threat to business.
  • Businesses are still getting caught by ransomware even though fairly straightforward methods exist to avoid it.
  • The Cryptolocker ransomware caught many enterprises off-guard, but there is a defence strategy that works against it.

Ransomware is a top threat for EU law enforcement, with almost two-thirds of EU member states conducting investigations into this form of malware attack.

While the target is often individual users’ devices, corporate and even government networks are also affected, causing disruption to business and services.

Read more on Hackers and cybercrime prevention