Cerber ransomware operation exposed… and boy is it lucrative!

Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

David bisson
David Bisson

Cerber ransomware operation exposed... and boy is it lucrative!

Researchers have cracked open Cerber and revealed it to be one of the most lucrative ransomware-as-a-service (RaaS) platforms in the world.

The Check Point Threat Intelligence Research Team revealed the extent to which Cerber has grown since its discovery in early spring 2016:

“Cerber has a wide distribution, due in part to its successful use of leading exploit kits. By monitoring the actual C&C communications, we were able to create a complete view of the ransomware’s activity. Cerber is currently running 161 active campaigns, launching an average of eight new campaigns daily, which have successfully infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone.”

Sign up to our free newsletter.
Security news, advice, and tips.


Exploit kits have indeed played a large part in Cerber’s distribution, though to varying degrees. The Magnitude exploit kit accounted for 84 percent of exploit kit infections, including those that resulted from a malvertising attack that struck Pirate Bay back in April. Neutrino and Rig followed at 14 percent and 2 percent, respectively.

Even so, Cerber likely derives most of its success from its affiliate program.

And why wouldn’t it? What novice computer criminal wouldn’t want to penny up the dough for access to command-and-control (C&C) servers and a control interface with up to 12 language settings, design their own campaigns, and get to keep up to 60 percent of the profits?

If that weren’t enough, most affiliates can rest assured they will never caught. Check Point explains the magic rests with how Cerber’s RaaS platform processes ransom payments, which usually amount to about one Bitcoin (or around US $590):

“The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage.”

Moneytrailimage 639x1024

In total, only about 0.3 percent of victims agree to pay for the return of their files. But that’s enough for the ransomware author to take in nearly one million dollars on an annual basis from the affiliate scheme alone, making Cerber one of the most profitable RaaS services around.

Check Point offers many more technical details about Cerber in a report, which is available for download here. It has also released a decryption tool for the ransomware, which Lawrence Abrams of Bleeping Computer has dissected.

Let’s hope the decryption tool receives regular updates as the ransomware continues to evolve, like it did back in June.

Just in case it doesn’t, make sure you protect yourself against Cerber ransomware infections by avoiding suspicious links and attachments, making secure backups of your important data, and by keeping your software up-to-date.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Cerber ransomware operation exposed… and boy is it lucrative!”

  1. Dave

    I have been saying this for almost a decade now: Internet hackers, most notably ransomware and ddos attackers, are akin to olden day (and in some places such as the African coast, today as well) pirates on the sea and should be dealt with accordingly. International Law should allow execution of these scumbags, they are a menace to society and civilization. It is the only way to dissuade others from joining their fray.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.