Cerber Ransomware Affiliate Network Extorts $195K In July

New research released today by Check Point Software Technologies (NASDAQ: CHKP) is shining light on a dark but growing corner of the internet: ransomware affiliate programs. The report released by Check Point takes an in-depth look at Cerber and Cerber 2 franchises, as well as the author of the code itself.

For a fee, any computer user is reported to be able to purchase a working version of Cerber malware from hidden forums, accessible only using the TOR Browser, making identification of individual actors challenging for authorities.

The Cerber and Cerber 2 malware are reported to be delivered to unsuspecting users in email attachments and via compromised websites.

Once a computer is infected, the virus will encrypt files on the host machine and display a message that demands a payment of one bitcoin (about $565), which doubles after five days, and provides a payment address. The promise made is that the victim will be given the necessary key to decrypt the files if the ransom is paid. Reports of users paying the ransom, receiving the decryption key, and successfully restoring their files exist, but unfortunately, when dealing with extortionists, there are no guarantees.

The scheme is said to be so pervasive that affiliates running the Cerber ransomware can log into dashboards and monitor the status of their malware campaigns. The website is said to even include “polite and friendly” online help. Sixty percent of collected ransoms reportedly go to affiliates in one example, with another 5 percent offered for those who sign up new franchisees. The remainder goes to the ransomware developer.

The anonymous nature of bitcoin makes tracking the perpetrators of Cerber ransomware challenging. A unique bitcoin address is said to be created to receive payments from each potential victim. Following the movement of funds from these addresses has led Check Point to bitcoin “mixing services” said to have a legitimate purpose, but which makes the flow of funds through them almost impossible to track.

“While innocent users may choose to use this method to transfer anonymous donations or perform other legitimate transactions, the mixing service is a perfect tool for cybercriminals to launder funds obtained through illegal business transactions.”

Check Point has determined that the author of the Cerber ransomware controls the wallets receiving money from victims and then distributes payments to affiliates after laundering the ransom payments through a mixing service. Over a full year, the software security firm noted that, at the rate observed in July, Cerber’s author would collect close to $1 million.

Cerber’s total take was reported to be $195,000 in July and that 0.3 percent of victims chose to pay the ransom. South Korea witnessed the greatest number of Cerber attacks on a global basis, followed by the United States, Taiwan, and China.

Users located in Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan are reported to be unaffected by Cerber, leading researchers to suspect that the malware is of Russian origin.

Avoiding becoming infected with Cerber ransomware in the first place is the best way to avoid having files encrypted and a ransom demanded. Backing up files regularly protects users from potentially losing valuable information. Once files are encrypted, Check Point reports that there is only a slight chance that Windows 7 Restore or Windows 10 File History, as described by Microsoft TechNet, will be successful in restoring the originals.

Those running security software, such as Check Point ZoneAlarm and Endpoint Security, are reportedly protected against Cerber and Cerber 2 ransomware. Users are also encouraged to keep their operating system and security software updated. Check Point reports that “in most cases” Cerber is able to circumvent Windows Defender.

Successfully decrypting files on an infected machine requires a key. Experienced computer users and service professionals may be able to find this key in communications between Cerber clients and their command-and-control servers. However, there are no guarantees.

Check Point notes that paying the ransom involves providing funds to a criminal enterprise, which may simply take the money and not provide the decryption key, as well as encouraging the further proliferation of Cerber. In some cases, paying the Cerber ransom may be the only chance available to retrieve critical files, as well as making financial sense.

The Israel-based software security firm reports that after the ransom is paid, Cerber typically removes itself from infected machines. Guides on how to manually remove virus files not automatically deleted are available on YouTube. Users whose computers have been infected but who are unconcerned about retrieving encrypted files may also use these methods.

[Photo by iStock]