Check Point Researchers Unravel Complex Money Trail of ‘Cerber,’ One of the World’s Largest Active Ransomware Campaigns

San Carlos, CA  —  Tue, 16 Aug 2016

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), today published new findings on one of the largest active ransomware-as-a-service franchises in the world, Cerber. The report offers an unprecedented behind-the-scenes view into the complex cyber campaign, not only shining a light on the growing ransomware-as-a-service industry, but revealing a path researchers are now using to help individuals and businesses gain access to their encrypted files – without paying the increasingly inflated ransoms of cyber criminals.

In a 60-page report, Check Point’s Threat Intelligence and Research Team, along with research partner IntSights Cyber Intelligence, identify new details and analysis on Cerber’s technical and business operation, revealing:

  • Of all ransomware, the Cerber infection rate is significantly higher and more profitable.Cerber is currently running more than 160 active campaigns across the globe, with total annual projected revenue of approximately $2.3 million. Each day eight new campaigns on average are launched; in July alone, the research revealed approximately 150,000 victims affected in 201 countries and territories.
  • Cerber affiliates have become successful money launderers. Cerber uses the Bitcoin currency to evade tracing, and creates a unique wallet to receive funds from each of its victims. Upon paying the ransom (usually one Bitcoin, which is currently worth $590), the victim receives the decryption key. The Bitcoin is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track them individually. At the end of the process, the money reaches the developer, and the affiliates receive their percentage.
  • Cerber is opening the doors for more would-be hackers. Cerber enables non-technical individuals and groups to take part in the highly profitable business and run independent campaigns, using a set of assigned Command & Control (C&C) servers and a convenient control panel available in 12 different languages.

Since June 2016, Check Point and IntSight have been charting a comprehensive map of the complex system developed by Cerber, as well as its global distribution infrastructure. Researchers were able to regenerate actual victim wallets, allowing the team to monitor payments and transactions, and opening the door to track both the revenue gained by the malware and the money flow itself. Further, this information provided the blueprint for a decryption tool that could remedy infected systems without individuals or businesses bending to cyber-criminal ransom demands.

“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry,” said Maya Horowitz, group manager, Research & Development, Check Point. “Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections.”

For more information on the findings, the full report ‘CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service’ can be found here: http://www.checkpoint.com/resources/cerberring/. In addition, for the steps a business or individual can take to decrypt a file infected with Cerber-based malware, visit: http://cerberdecrypt.com.

Check Point’s Threat Intelligence & Research divisions regularly investigate attacks, vulnerabilities and breaches, and develop protections to secure Check Point’s customers. For more information on other research findings from Check Point, visit: http://www.checkpoint.com/threatcloud-central/.