Cerber ransomware earns $2.3mil with 0.3% response rate

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point

The fast-growing Cerber ransomware earned nearly $200,000 in July despite a payment rate of just 0.3 percent as a result of its affiliate distribution model, according to a new report by Check Point and IntSights Cyber Intelligence.

That puts it on track to make $2.3 million this year, said Maya Horowitz, group manager of threat intelligence at Israel-based Check Point Software Technologies Ltd..

In the affiliate model, non-technical customers can run their own campaigns using the platform and get to keep 60 percent of the profits. Affiliates get access to easy-to-use management tools, Cerber's Bitcoin laundering system, as well as the ransomware itself. Each day, eight new Cerber ransomware campaigns are launched, she said, with over 150 affiliates at current count.

By comparison, she said, the other major brand of ransomware common today is Locky.

"With Locky, there is just one team of threat actors," she said. "They don't share their malware with anyone else so all the income goes to them. With Cerber, it acts like a business that has branches all over."

In addition to their 60 percent cut, there is also a 5 percent referral bonus for affiliates who recruit new members.

"My assumption is that this means that there will be more and more such services, more and more attacks, even more than today," she said.

Check Point gathered this data by identifying the IP addresses that infected computers used to communicate with their command-and-control centers.

"It's pretty easy to intercept this traffic," Horowitz said. "Then you can really get the details of who the targets are and which campaigns are currently running."

For example, Check Point was able to determine that the malware authors are probably based in or near Russia.

"There are no infections in Russian-speaking countries," she said. "And in the configuration of the ransomware, the authors, as default, chose not to operate on machines or PCs that have Russian as their default language."

By not infecting the machines of users in Russia, the authors may be attempting to evade law enforcement in that country, she said.

In addition, Check Point was able to extract the the unique Bitcoin wallet identifiers assigned to each victim in order to track how many actually paid the ransom, and then to follow the money from those wallets to one central wallet, then to a network of other wallets that are part of a Bitcoin mixing service, and then finally to their destinations.

"We followed these hundreds of thousands of different wallets," she said. "I think that this is the first time that security researchers can say for sure what percentage of victims pay the ransom."

it was surprising how few people paid the ransom, she said. Previous estimates by other researchers have put payment rates at much higher levels.

"But it still gives the threat actors enough money," she added.

When analyzing the Cerber malware, Check Point also found a vulnerability in its decryption mechanism.

The company has published a decryption tool that exploits this vulnerability.

Join the CSO newsletter!

Error: Please check your email address.

More about Check PointCheck Point Software TechnologiesPoint Software TechnologiesSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place