Announcing a joint research into Cerber Ransomware-as-a-Service ring

We are proud to announce the release of a collaborative research project that we’ve conducted with the cybersecurity industry leader- Checkpoint.

The aim of this research project was to uncover the ransomware-as-a-service known as Cerber - the leading ransomware variant in the market today.

We identified Cerber upon its release back in February and have tracked the recruitment and profit management procedures since then. Checkpoint then used our findings to conduct a thorough technical analysis of the malware.

Cerber Ransomware dashboard
Cerber Ransomware dashboard

The growing ransomware-as-a-service (RaaS) model is unique in the cyber-crime landscape in the sense that the malware developer recruits affiliates who spread the malware in return for a percentage of the profits. This tactic allows the malware to achieve a wider reach and generate greater revenue. More importantly, it enables non-technical actors to take part in the highly profitable business and run independent campaigns, using a set of assigned Command and Control (C&C) servers and a convenient control panel.

Until now, the ransomware-as-a-service industry remained an uncharted region of cybercrime. Very little was known about the operation of such franchises, making it harder for defenders to trace them effectively. Our joint research shed new light on the Cerber ransomware and for the first time provides an understanding into the operational and technical nature of this eco-system.

The findings are published in this paper titled: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service

The report includes a full technical analysis of the malware’s functionality, and we reveal the payment transaction flow based on the money transfers to participating actors. This report includes:

  • Review of the ransomware-as-a-service ecosystem, tool advertisements, affiliate programs, and the user interface for campaign and profit management.
  • Analysis of the attack data, exposing the full extent of operations in July 2016, as well as details on currently active campaigns, distribution methods, target attribution and infection rate.
  • Investigation of the Bitcoin wallets generated for each victim, revealing the actual profits and transaction flow.
  • Full technical description of the malware’s functionality, encryption process, communication methods, and evasion techniques.

We’d like to thank our partners and co-authors at Checkpoint for joining forces with us and conducting this in –depth study.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.