Cerber 2 Ransomware: Free Decryption Tool ReleasedMalware Developer Earns $1 Million Annually via Affiliates, Researchers Say
See Also: Threat Briefing: Ransomware
Check Point Software Technologies has released a free Cerber ransomware decryption tool that it says victims can download and use to restore forcibly encrypted ransomware files, including files encrypted by Cerber version 2, which debuted July 29. "The tool analyzes the sample file the user uploads and generates a private decryption key for the user, which they can then unlock other files with," a Check Point spokesman tells Information Security Media Group.
Cerber 2, according to anti-ransomware forum Bleeping Computer, encrypts 455 files extensions, ranging from .backupdb, .doc and .html, to .mp3, .pptx and .zip. Many current versions of Cerber demand a ransom payment of 1 bitcoin, currently worth about $570, according to security researchers. Cerber campaigns are also backed by a customer service team designed to field customer queries, in an attempt to maximize attackers' illicit profits (see Ransomware Gangs Take 'Customer Service' Approach).
Don't, however, expect the new decryption tool to work indefinitely. Indeed, Cerber 2 appeared to be developers' reaction to a free decryptor released by security firm Trend Micro, which could decrypt some - although not all - Cerber-encrypted files. "We can decrypt the data because of the weak key that Cerber used," the developer of Trend Micro's decryption tool, an employee known as Panicall, said in a discussion on a Bleeping Computer forum. He added that the weakness could only be used in some cases, suggesting that the average victim might only be able to decrypt about 70 percent of encrypted files using the tool.
But Cerber 2 fixes the weakness that Trend Micro was able to exploit, Panicall said Aug. 2 via Twitter. "The author must have read my code," Panicall said.
Check Point didn't immediately respond to a request for comment about whether it planned to participate in the No More Ransom portal, a public-private partnership designed to give ransomware victims a one-stop shop for decrypting their data, if and when related tools are available (see Ransomware Gangs Take 'Customer Service' Approach).
New variant of Cerber ransomware confirmed today, not supported by our tool now. The author must have read my code. @demonslay335— panicall (@fuzzerDOTcn) August 2, 2016
Best Strategy: Avoid Infection
The cat-and-mouse game between Cerber's developer and security firms - working on behalf of victims - is a reminder that the best way to deal with a ransomware infection is to never get infected in the first place. For any individual or organization that does suffer a ransomware infection, however, the next step involves mitigation, and deciding on a course of action: Pay the ransom, kiss the data goodbye or decrypt the data using a freely available tool.
Decisions can be complicated by time-related factors. "Institutions that have time-sensitive records, like hospitals and banks that need to get access immediately, are increasingly being the targets for ransomware," says Mark Rasch, security evangelist at Verizon Enterprise Solutions (see Hospitals and Ransomware: The Temptation to Pay).
That's because cleaning up from a ransomware infection takes time. Any organization that can't afford to spare that time - not just hospitals and banks but also law firms and any organization involved in sensitive merger-and-acquisition discussions - will face incentives to pay attackers.
The rise of ransomware has been aided by automated attack tools, such as Cerber, that are designed to be used by those who are not technically proficient. In fact, Cerber gets distributed via an affiliate program, Check Point says in a new report into the gang behind Cerber. Check Point notes that it first found a Russian-language advertisement soliciting new affiliates posted by an individual using the handle "crbr" on an underground forum in February. "The ad includes an extensive and accurate explanation about the malware itself, the landing pages, the partnership program through which the malware is sold and the estimated profit," the Check Point report says.
Based on its researchers' subsequent, presumably anonymous, interactions with crbr, Check Point says that crbr's job is to recruit new affiliates to infect PCs with Cerber. "In return, the participating affiliate receives part of the profit," it says. "In the ad's example, the participating affiliate earns 60 percent of the profits with an additional 5 percent for recruiting a new member to the program. The rest of the money goes to the developer."
The control panel offered to affiliates is available in 12 languages, including Arabic, Chinese, Portuguese and Turkish, crbr told Check Point researchers.
According to figures supplied by crbr, 3 percent of all victims - largely hailing from Australia, Canada, France, Germany, Great Britain, India, Italy, South Korea and the United States - pay to purchase the decoder.
Cerber Gang: Russians Suspected
By tracing communications between Cerber ransomware infections and the dedicated servers used by the developer to manage the infections, Check Point estimates that Cerber ransom payments in July amounted to $195,000 via 161 active campaigns that infected nearly 150,000 victims. Accordingly, the developer's monthly takings would have been about $78,000, while affiliates would have split the rest.
If those takings remain constant, Cerber's developer stands to earn about $1 million per year. "We believe Cerber originates in Russia, as some of the advertisements appeared in Russian," Check Point's report says. "In addition, Cerber's configuration file reveals that the ransomware does not infect targets in the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine and Uzbekistan. Typical for Russian malware, this approach allows actors to avoid legal consequences by law enforcement agencies in these countries."
According to a portion of the Cerber 2 configuration file extracted by Trend Micro's Panicall, the ransomware also won't run if it detect anti-virus software from one of 17 vendors, including Avast, Bitdefender, ESET, F-Secure, Kaspersky Lab and Lavasoft.
Check Point says many Cerber infections get spread via exploit kits, noting that Neutrino exploit kit victims account for 11 percent of all Cerber ransom payments, while Magnitude exploit kit victims account for 8 percent.