The number one ransomware attack from 2016, Cerber, has been definitively tied back to Russian ransomware-as-a-service developers. It has been confirmed that Cerber is a Russian-based ransomware as the malware is sold on the dark web in Russia and also refuses to infect computers in Russia and other former Soviet nations. 2017 looks to be more of the same from our frenemies in Eastern Europe.
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) is like all other forms of ransomware in that it infects a machine when the user clicks on a certain file or link. The malware then encrypts the user’s files and renders them inaccessible until the victim pays the ransom for the decryption key. However, RaaS is a variant of ransomware designed to be so user-friendly that it can be deployed by anyone with little cyber know-how. The new ‘cybercriminals’ download the virus for free or a nominal fee, set a ransom and payment deadline, and attempt to trick users into infecting their computer. If the victim ends up paying the ransom, the original developer gets a commission - anywhere between 5%-20% - while the individual who deployed the attack gets the remaining amount.
Cerber RaaS
Operators behind the Cerber ransomware, which can be definitively traced back to the Russian developers, run an average of 161 active campaigns at any given time. With an average of eight new campaigns launched since tracking Cerber back in March 2016, Cerber generates an estimated $2.3 million in annual revenue. As the number one ransomware attack in 2016, Cerber infected about 150,000 victims per month.
Source: Check Point
Generally, about 3% of people get infected from ransomware phishing campaigns and end up paying the ransom for the decryption key. That means that Cerber needs to reach at least 5 million people per month in order to infect their average of 150,000 victims. So, how do the Russian developers of Cerber reach that many people? Well, they use Cerber ransomware-as-a-service.
Cerber RaaS provides proof as to how large and lucrative the RaaS industry has become, as it is no longer exclusive to skilled cybercriminals who are tech-savvy enough to write their own codes for ransomware variants. Anyone who wants to become a hacker can head to underground forums and purchase a pre-designed set of command and control servers, along with a comprehensive set of easy-to-use control interfaces available in 12 different languages to manage Cerber infection campaigns.
Cerber’s RaaS widespread success is also due to the fact that new cybercriminals have little chance of being caught. The malware’s authors require the ransom to be paid in Bitcoins, and they create a new wallet for each victim. By using a mixing service that relies on a web of tens of thousands of Bitcoin wallets, it becomes almost impossible to track each transaction individually. This allows the hackers to receive their ransom without the risk of being caught.
WatchPoint Webinar: From Russia with Love
Ransomware is nothing new, but infections are on the rise. According to the FBI, there was an average of 4,000 new infections per day in 2016. The outlook for 2017 is even worse.
On Wednesday, January 18th, join CEO Greg Edwards and Chief Hacking Officer Nathan Studebaker as they host a Stopping Ransomware Webinar. Learn how WatchPoint is putting an end to ransomware with CryptoStopper that uses deception technology and turns the tables on cybercriminals.
