The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber Intelligence.
That puts it on track to make $2.3 million this year, said Maya Horowitz, group manager of threat intelligence at Israel-based Check Point Software Technologies Ltd..
In the affiliate model, non-technical customers can run their own campaigns using the platform and get to keep 60 percent of the profits. Affiliates get access to easy-to-use management tools, Cerber's Bitcoin laundering system, as well as the ransomware itself. Each day, eight new Cerber ransomware campaigns are launched, she said, with over 150 affiliates at current count.
By comparison, she said, the other major brand of ransomware common today is Locky.
"With Locky, there is just one team of threat actors," she said. "They don't share their malware with anyone else so all the income goes to them. With Cerber, it acts like a business that has branches all over."
In addition to their 60 percent cut, there is also a 5 percent referral bonus for affiliates who recruit new members.
"My assumption is that this means that there will be more and more such services, more and more attacks, even more than today," she said.
Check Point gathered this data by identifying the IP addresses that infected computers used to communicate with their command-and-control centers.
"It's pretty easy to intercept this traffic," Horowitz said. "Then you can really get the details of who the targets are and which campaigns are currently running."
For example, Check Point was able to determine that the malware authors are probably based in or near Russia.
"There are no infections in Russian-speaking countries," she said. "And in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language."
By not infecting the machines of users in Russia, the authors may be attempting to evade law enforcement in that country, she said.
In addition, Check Point was able to extract the the unique Bitcoin wallet identifiers assigned to each victim in order to track how many actually paid the ransom, and then to follow the money from those wallets to one central wallet, then to a network of other wallets that are part of a Bitcoin mixing service, and then finally to their destinations.
"We followed these hundreds of thousands of different wallets," she said. "I think that this is the first time that security researchers can say for sure what percentage of victims pay the ransom."
it was surprising how few people paid the ransom, she said. Previous estimates by other researchers have put payment rates at much higher levels.
"But it still gives the threat actors enough money," she added.
When analyzing the Cerber malware, Check Point also found a vulnerability in its decryption mechanism.
The company has published a decryption tool that exploits this vulnerability.