Check Point Software, along with IntSights, have released a very detailed report on the Cerber Ransomware and its Ransomware as a Service affiliate system. The revenue generated by the Cerber affiliate system is staggering, with Cerber generating $195,000 in profits for July and the malware developer taking a 40% cut from this total. This equated to the malware developer making $78,000 in July and a forecasted $946,000 for the year!
According to Check Point, they first discovered Cerber in February 2016 when the malware developer posted about the new ransomware on an underground criminal web site in order to recruit affiliates. The Cerber developer would manage the Command & Control servers, the affiliate system, the support center, and the programming of the ransomware, while the affiliates would distribute the ransomware in order to infect victims. Both the developer and the affiliate would then split the ransom payments, with the developer keeping 40% of the profits and 60% going to the distributor.
In order to explain how the affiliate system works, Check Point has released the infographic below.
Through Check Point and IntSights' monitoring they were able to gather statistical and operational information as well as the ability to decrypt Cerber victim's encrypted files. Though it is not disclosed how Check Point and IntSights have gathered all of their information, based on the images in the report and certain timestamps, I personally feel that they were able to compromise the Cerber Affiliate System or their Command & Control server at some point in June 2016.
This monitoring also allowed them to see the various distribution campaigns performed by Cerber affiliates in order to infect victims. From email campaigns to exploit kits, Cerber has shown an evolving strategy when it comes to distributing the ransomware installers. As you can see from the image below, Cerber has been distributed by the Rig, Neutrino, and Magnitude exploit kits, with Magnitude clearly being the largest exploit kit being used.
Furthermore, when Cerber communicates with its Command & Control servers it does so by sending the messages to a wide range of IP addresses. It does this to make it difficult for the authorities to locate the server, but the downside is that security researchers can listen in on these IP addresses to see the information being sent.
Through their work, Check Point is now able to decrypt victim's for free. Unfortunately, now that the report has been published, it is safe to assume that the Cerber developers have either discovered that they were being monitored and have closed the security hole in their system or will do so soon. They can then change the master decryption key so that future Cerber victims can not be helped by Check Point's decryptor. Regardless, the amount of people who can now be helped, makes this a win for the good guys!