Check Point Researchers Unravel Complex Money Trail of ‘Cerber,’ One of the World’s Largest Active Ransomware Campaigns
Findings are helping researchers build decryption tools so individuals and businesses can gain back control of infected computers – without paying cyber-criminals’ ransom
Singapore, @mcgallen #microwireinfo, August 17, 2016 – Check Point® Software Technologies Ltd. (NASDAQ: CHKP), today published new findings on one of the largest active ransomware-as-a-service franchises in the world, Cerber. The report offers an unprecedented behind-the-scenes view into the complex cyber campaign, not only shining a light on the growing ransomware-as-a-service industry, but revealing a path researchers are now using to help individuals and businesses gain access to their encrypted files – without paying the increasingly inflated ransoms of cyber criminals.
In a 60-page report, Check Point’s Threat Intelligence and Research Team, along with research partner IntSights Cyber Intelligence, identify new details and analysis on Cerber’s technical and business operation, revealing:
* Of all ransomware, the Cerber infection rate is significantly higher and more profitable. Cerber is currently running more than 160 active campaigns across the globe, with total annual projected revenue of approximately US$2.3 million. Each day eight new campaigns on average are launched; in July alone, the research revealed approximately 150,000 victims affected in 201 countries and territories.
* Cerber affiliates have become successful money launderers. Cerber uses the Bitcoin currency to evade tracing, and creates a unique wallet to receive funds from each of its victims. Upon paying the ransom (usually one Bitcoin, which is currently worth US$590), the victim receives the decryption key. The Bitcoin is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track them individually. At the end of the process, the money reaches the developer, and the affiliates receive their percentage.
* Cerber is opening the doors for more would-be hackers. Cerber enables non-technical individuals and groups to take part in the highly profitable business and run independent campaigns, using a set of assigned Command & Control (C&C) servers and a convenient control panel available in 12 different languages.
Since June 2016, Check Point and IntSight have been charting a comprehensive map of the complex system developed by Cerber, as well as its global distribution infrastructure. Researchers were able to regenerate actual victim wallets, allowing the team to monitor payments and transactions, and opening the door to track both the revenue gained by the malware and the money flow itself. Further, this information provided the blueprint for a decryption tool that could remedy infected systems without individuals or businesses bending to cyber-criminal ransom demands.
“This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry,” said Maya Horowitz, group manager, Research & Development, Check Point. “Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections.”
For more information on the findings, the full report ‘CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service’ can be found here: http://www.checkpoint.com/resources/cerberring/. In addition, for the steps a business or individual can take to decrypt a file infected with Cerber-based malware, visit: http://cerberdecrypt.com.
Check Point’s Threat Intelligence & Research divisions regularly investigate attacks, vulnerabilities and breaches, and develop protections to secure Check Point’s customers. For more information on other research findings from Check Point, visit: http://www.checkpoint.com/threatcloud-central/.
Follow Check Point via:
About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is the largest network cyber security vendor globally, providing industry-leading solutions and protecting customers from cyberattacks with an unmatched catch rate of malware and other types of threats. Check Point offers a complete security architecture defending enterprises – from networks to mobile devices – in addition to the most comprehensive and intuitive security management. Check Point protects over 100,000 organizations of all sizes.
# # #