As it turns out, the vast majority of victims that are infected with Cerber ransomware never actually pay the ransom, but that doesn’t mean that Cerber isn’t making money—in fact, it’s making a lot of money. A new report published Aug. 18 by security firm Check Point Software Technologies provides insight into how Cerber operates its ransomware-as-a-service model that generated at least $195,000 in profit in July alone.
The Cerber ransomware is operated in a model whereby affiliates sign up to help distribute the malware and then earn a percentage of any payouts. In one Cerber recruiting advertisement reported on by Check Point, Cerber affiliates are promised a payout of 60 percent of the ransom profit, with a 5 percent bonus if the affiliate is able to also recruit new affiliates into the Cerber platform. That leaves 35 to 40 percent of the ransomware profit for Cerber’s developers.
Check Point noted that, according to the Cerber advertisements on various dark web forums, up to 3 percent of infected victims will pay the ransom. That said, Check Point’s own research tracing the payment path via victims’ Bitcoin wallets shows a much lower conversion rate for victim payouts. For July, Check Point’s research shows that only 0.3 percent of victims paid a ransom.
However, even with such a low conversion rate, Cerber malware is making money. Doing the math, if Cerber’s authors get 40 percent of the $195,000 in payouts in July (with the remainder being paid to affiliates), Cerber’s authors generated $78,000 in revenue for July. Assuming July is a typical month for Cerber, that means Cerber’s authors could be making $946,000 per year from the ransomware platform.
Why Cerber Victims Aren’t Paying Ransoms
There could be a number of reasons why so few Cerber victims are paying the ransom. One is that victims either have backups or their files are less valuable to them than the 1 Bitcoin (approximately $590) that it costs to pay the ransom, according to Maya Horowitz, threat intelligence group manager at Check Point. Another reason could be the victim simply doesn’t know how to buy Bitcoins to make the payment, she said.
Check Point’s analysis included all of the Cerber activity it could find, but there’s a possibility a few campaigns evaded analysis, Horowitz added.
“Different analysts have different opinions on other ransomware authors’ income, most of which can’t be proved,” she told eWEEK. “Cerber’s way of communicating with its command and control servers gave us a rare opportunity to see all victims and payments, and we don’t have such accurate data for other [ransomware] families.”
At this point, Cerber is still an active ransomware threat, though Horowitz is optimistic that Check Point’s research publication will help shut down the operation.
“We do hope that even though we are yet to have the specifics on the actors, they will understand that security researchers and law enforcement are on their tail and have very intimate details on their operations, and will eventually decide to shut down their business,” Horowitz said.
Check Point has had some success helping to shut down malware operations in the past. In June, the Nuclear Exploit Kit shut down after Check Point published an in-depth report on its operations.
For Cerber victims, there is another option besides paying the ransom, according to Horowitz.
“If someone needs their files back, I can’t suggest not to pay, but Check Point’s deep dive into this ransomware allowed us to find a vulnerability in the implementation of the decryption process that we are able to use for free decryption,” she said. “So in parallel to our report, we are also publishing a decryption tool that is open for the public, free of charge.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.