Cerber ransomware earns $2.3mil with 0.3% response rate

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber Intelligence.

That puts it on track to make $2.3 million this year, said Maya Horowitz, group manager of threat intelligence at Israel-based Check Point Software Technologies Ltd..

In the affiliate model, non-technical customers can run their own campaigns using the platform and get to keep 60 percent of the profits. Affiliates get access to easy-to-use management tools, Cerber's Bitcoin laundering system, as well as the ransomware itself. Each day, eight new Cerber ransomware campaigns are launched, she said, with over 150 affiliates at current count.

By comparison, she said, the other major brand of ransomware common today is Locky.

"With Locky, there is just one team of threat actors," she said. "They don't share their malware with anyone else so all the income goes to them. With Cerber, it acts like a business that has branches all over."

In addition to their 60 percent cut, there is also a 5 percent referral bonus for affiliates who recruit new members.

"My assumption is that this means that there will be more and more such services, more and more attacks, even more than today," she said.

Check Point gathered this data by identifying the IP addresses that infected computers used to communicate with their command-and-control centers.

"It's pretty easy to intercept this traffic," Horowitz said. "Then you can really get the details of who the targets are and which campaigns are currently running."

For example, Check Point was able to determine that the malware authors are probably based in or near Russia.

"There are no infections in Russian-speaking countries," she said. "And in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language."

By not infecting the machines of users in Russia, the authors may be attempting to evade law enforcement in that country, she said.

In addition, Check Point was able to extract the the unique Bitcoin wallet identifiers assigned to each victim in order to track how many actually paid the ransom, and then to follow the money from those wallets to one central wallet, then to a network of other wallets that are part of a Bitcoin mixing service, and then finally to their destinations.

"We followed these hundreds of thousands of different wallets," she said. "I think that this is the first time that security researchers can say for sure what percentage of victims pay the ransom."

it was surprising how few people paid the ransom, she said. Previous estimates by other researchers have put payment rates at much higher levels.

"But it still gives the threat actors enough money," she added.

When analyzing the Cerber malware, Check Point also found a vulnerability in its decryption mechanism.

The company has published a decryption tool that exploits this vulnerability.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Maria Korolov

CSO (US)
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?