Cerber, the world's biggest ransomware-as-a-service scheme, has evolved to become a multi-national franchise.
In July 2016 alone, Cerber had over 160 active campaigns, targeting 150,000 users in 201 countries, according to security researchers at Check Point. The overall profit made by Cerber in July was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on successful infections and ransom payments for each campaign.
Cerber is reckoned to originate from Russia. The malware expressly avoids infecting targets in 12 former Soviet Union countries, namely Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan.
Cybercrooks behind the scam recruit affiliates who spread the malware in return for a cut of the resulting profits. Funds from victims are received through a maze of thousands of Bitcoin accounts that allow the Cerber franchisees to successfully launder money. Cerber is set up to use a unique Bitcoin wallet for each of its victims.
Upon paying the ransom (usually 1 Bitcoin, currently worth $590/£456), the victim receives the decryption key. The Bitcoin is transferred to the malware developer and affiliates by flowing through thousands of Bitcoin wallets, making it almost impossible to trace individual payments.
Those looking for a cut of the action need not be technically skilled or knowledgeable. "Cerber is set up to enable non-technical criminals to take part in the highly profitable business and run independent campaigns, using a set of command and control servers and an easy-to-use control interface available in 12 different languages," Check Point explains.
Check Point's report has full details of the Cerber ransomware as-a-service ecosystem – how it is advertised, the affiliates programme and user interface used for campaign and profit management, plus analysis of the attack showing the full extent of operations last month. The study also features a full technical description of the malware's functionality, encryption process, communication methods and evasion techniques. ®