Cerber ransomware earns $2.3mil with 0.3% response rate

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber Intelligence.

That puts it on track to make $2.3 million this year, said Maya Horowitz, group manager of threat intelligence at Israel-based Check Point Software Technologies Ltd..

In the affiliate model, non-technical customers can run their own campaigns using the platform and get to keep 60 percent of the profits. Affiliates get access to easy-to-use management tools, Cerber's Bitcoin laundering system, as well as the ransomware itself. Each day, eight new Cerber ransomware campaigns are launched, she said, with over 150 affiliates at current count.

By comparison, she said, the other major brand of ransomware common today is Locky.

"With Locky, there is just one team of threat actors," she said. "They don't share their malware with anyone else so all the income goes to them. With Cerber, it acts like a business that has branches all over."

In addition to their 60 percent cut, there is also a 5 percent referral bonus for affiliates who recruit new members.

"My assumption is that this means that there will be more and more such services, more and more attacks, even more than today," she said.

Check Point gathered this data by identifying the IP addresses that infected computers used to communicate with their command-and-control centers.

"It's pretty easy to intercept this traffic," Horowitz said. "Then you can really get the details of who the targets are and which campaigns are currently running."

For example, Check Point was able to determine that the malware authors are probably based in or near Russia.

"There are no infections in Russian-speaking countries," she said. "And in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language."

By not infecting the machines of users in Russia, the authors may be attempting to evade law enforcement in that country, she said.

In addition, Check Point was able to extract the the unique Bitcoin wallet identifiers assigned to each victim in order to track how many actually paid the ransom, and then to follow the money from those wallets to one central wallet, then to a network of other wallets that are part of a Bitcoin mixing service, and then finally to their destinations.

"We followed these hundreds of thousands of different wallets," she said. "I think that this is the first time that security researchers can say for sure what percentage of victims pay the ransom."

it was surprising how few people paid the ransom, she said. Previous estimates by other researchers have put payment rates at much higher levels.

"But it still gives the threat actors enough money," she added.

When analyzing the Cerber malware, Check Point also found a vulnerability in its decryption mechanism.

The company has published a decryption tool that exploits this vulnerability.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Maria Korolov

CSO (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?