Ransomware-as-a-service campaigns are quickly rising as a profitable business option for would-be hackers with little technical know-how as developers of the service and its affiliates haul in millions of dollars every year. Cybersecurity researchers at Check Point have found that Cerber ransomware, one of the largest ransomware campaigns in the world, currently runs over 160 active campaigns across the globe and generates total annual projected revenue of about $2.3m.
A new 60-page report titled "CerberRing: An In-depth exposé on Cerber ransomware-as-a-service" released together with IntSights Cyber Intelligence, sheds light on the complex yet lucrative campaign system developed by Cerber, as well as the rapidly growing RaaS industry as a whole.
In July alone, at least eight new campaigns were launched every day, targeting 150,000 users in 201 countries and territories, the researchers found. They also estimate cybercriminals earned around $195,000 in overall profit from Cerber in July with its authors raking in about $78,000 alone. In a year, a ransomware author stands to make an estimated $946,000 - a hefty amount given that just 3% of victims on average pay the ransom to access their encrypted files.
While Cerber authors earn 40% of the total profits, the rest is given to affiliates.
"Ransomware is no longer a highly profitable business reserved only for skilled attackers who can write sophisticate encryption schemes and establish a steady infrastructure," the report reads. "An unskilled actor who lacks the technical knowledge can now easily reach out to one of many users in various closed forums."
Using a set of assigned Command & Control (C&C) servers and an easy-to-use control panel available in 12 different languages, including Chinese, Arabic and Portuguese, Cerber allows tech novices and groups to take part in and launch their own ransomware campaigns.
"For a small payment, the would-be attackers can obtain an undetected variant and a designated set of C&C infrastructure servers, and easily manage their active campaigns using a basic interface."
Using Bitcoin currency to avoid detection and tracing, Cerber creates a unique Bitcoin wallet for each victim. Once a victim has paid the ransom, which is usually 1 Bitcoin ($590), the user receives the decryption key to unlock his or her encrypted files. The payment is then transferred over to the malware developer through a mixing service that includes thousands of bitcoin wallets, essentially making it impossible for anyone to track an individual transaction.
After the mixing process, the cash then makes its way to the developer and the affiliates.
The report also notes that Cerber is likely a Russia-based service, given the fact that most of the RaaS advertisements that researchers found were written in Russian. Moreover, the "Russian malware" does not target Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan allowing threat actors to bypass detection and legal consequences by law enforcement in these countries.
"This research provides a rare look at the nature and global targets of the growing ransomware-as-a-service industry," Maya Horowitz, group manager of research and development at Check Point, said in a statement. "Cyber-attacks are no longer the sole essence of nation-state actors and of those with the technical ability to author their own tools; nowadays, they are offered to anyone and can be operated fairly easily. As a result, this industry is growing extensively, and we should all take the proper precautions and deploy relevant protections."