The inner workings of the Cerber ransomware campaign

Check Point’s research team has analysed the inner workings of Cerber, the world’s biggest ransomware-as-a-service scheme.

Cerber execution flow

Cerber is a ransomware franchise, in which the malware developer recruits affiliates who spread the malware further in return for a cut of the profits.

Cerber ransomware campaign key points

• The big difference from other ransomware is the extent of its infection. Cerber is currently running 161 active campaigns, targeting 150,000 users in 201 countries in July alone.
• Total estimated profits are $195,000 in July alone.
• It’s believed that Cerber is Russian in origin, as its configuration file reveals that the ransomware does not infect targets in the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan.
• It uses a maze of thousands of Bitcoin accounts that allow the Cerber franchisees to successfully launder the ransom money they receive.

Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns, using a set of command and control servers and an easy-to-use control interface available in 12 different languages.

Evading tracking

Cerber uses Bitcoins to evade tracing, and creates a unique Bitcoin wallet for each of its victims. Upon paying the ransom (usually 1 Bitcoin, currently worth $590), the victim receives the decryption key.

The Bitcoin is transferred to the malware developer and affiliates by flowing through thousands of Bitcoin wallets, making it almost impossible to trace individual payments.

The Cerber business model

Profit

The overall profit made by Cerber in July was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on successful infections and ransom payments for each campaign. On a yearly basis, the estimated monthly profit for the ransomware author would be $946,000.

“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry,” said Maya Horowitz, group manager, Research & Development, Check Point. “Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections.”