The money trail behind ransomware-as-a-service (RaaS)

A recent report published by Check Point Threat Intelligence Team has revealed interesting information about the Cerber ransomware operation. Cerber makes money by infecting victims’ machines, encrypting their files, and then charging them money (starting at ~$600) to decrypt them.

Cerber is an example of cybercrime as a professional, if criminal, business. It has an affiliate programme with advertising and recruitment, a multi-lingual portal controlling custom distributions and ‘campaigns’ for each affiliate, stats to monitor the effectiveness of campaigns, and a sophisticated operational, billing and financial collection process to support itself and its affiliates efforts to avoid identification and law enforcement.

Three features of particular note are that the malware itself is coded not to infect machines in certain countries – protecting the author somewhat from law enforcement and extradition laws. The second is that the payment method uses a Bitcoin mixing service, which allows for laundering of ill-gotten funds. Finally, the service was updated and upgraded on 29th July, indicating a competitive market for this kind of service.

If it weren’t evil and based on visiting stress and misery on innocent people, the operation has an efficiency, focus, and ruthlessness that’s almost enviable.

Even given that under 0.3% of people infected pay the ransom request (according to the stats), Cerber generated $195,000 in profit for the owners and affiliates in one month alone (July 2016). In the past 12 months, Cerber made the owners nearly $950,000 in profit.

I was brought up to believe that “crime doesn’t pay.” I still want to believe it, but I understand the phrase now as an aspiration of any system of justice, rather than a statement of fact. Outside of preventative measures, the goal must be to ensure that the risk of crime (chance of getting caught and the scale of consequences) are sufficient to outweigh the benefit to the criminal and thus avoid the impact on the victims.

Unfortunately, the likelihood of the perpetrators, or even the affiliates, being tracked down is low. Even if they were, the jurisdictional issues alone would seem to be an insurmountable barrier to conviction and punishment. It seems like while there are people willing to inflict misery on others for personal financial gain, then the onus will continue to be on all of us, as potential victims, to do what we can to protect ourselves and others from the risk of data loss. If we do fall victim to these crimes, then stifling the business by refusing the pay.

Aside from the usual advice about avoiding opening attachments, inserting unknown USB devices into our computers or clicking on links – if we value the data on our computers, we need to back it up and test that we can restore from those back-ups.

There’s no time like the present.

Hats off to the teams at Check Point and IntSights. A great piece of work.