Researchers claim to have found the largest ransomware-as-a-service (RaaS) ring to date. The operation generates an estimated $2.5 million annually and targets computer users with a new variant of the notorious Cerber ransomware.
According to a research report published today by Check Point Software Technologies and IntSights, the RaaS ring consists of 161 active campaigns with eight new campaigns launched daily. For the month of July, it’s estimated that criminals earned closed to $200,000 from victims paying approximately 1 bitcoin ($590) to decrypt files locked by the Cerber ransomware.
“These groups have become increasingly organized and shrewd about how to maintain infections, grow their enterprise, and evade detection,” said Maya Horowitz, threat intelligence group manager with Check Point.
Cracking RaaS rings is nothing new. In June, researchers at Flashpoint uncovered an affiliate network that consisted of kingpin ransomware makers partnering with less-sophisticated ransomware infection experts who acted as foot soldiers finding new victims. But Horowitz said this most recent discovery takes RaaS to the next level utilizing sophisticated crypto-currency money-laundering techniques called Bitcoin mixing coupled with a well-oiled affiliate network system.
Bitcoin mixing, Horowitz describes, is a technique used by the RaaS cybercriminals to ensure ransomware profits remain untraceable. “A mixing service allows the ransomware author to transfer Bitcoin and receive the same amount back to a wallet that cannot be associated with the original owner… The process mixes other users’ money, using tens of thousands of Bitcoin wallets, making it almost impossible to track them individually. Furthermore, the user can divide the money among several Bitcoin wallets at the end of the mixing process,” according to the researchers’ report.
This technique allows the hundreds of affiliates to avoid the scrutiny of their Bitcoin activities being recorded and available publicly via blockchain, a comprehensive database that keeps a record of each transaction made using Bitcoin currency, Horowitz said. Law enforcement agencies and security companies, she said, monitor blockchain activity for wallets holding large amounts of Bitcoins that conduct many daily small transactions. While Bitcoin are anonymous and can’t be linked to specific users, blockhains activity can be monitored, Horowitz said.
“While the threat actors get all the ransomware payouts, they don’t want to have one wallet with all the Cerber money in it so they use a mixing service,” Horowitz explains. “The mixing service spreads the money to thousands of different wallets mixing them with others people’s money. Then the threat actors distribute the profits back to the affiliates via Bitcoin wallets. This way anyone monitoring blockchain activity will not see where the money is coming from.”
Ransomware authors, according to researchers, keep 40 percent of the profits paying out 60 percent to affiliates who find them fresh new targets.
Researchers say that attackers are using a new variant of Cerber, dubbed Cerber 2, released on July 29. Despite the update, Check Point said it has a decryption tool for both the old version of the Cerber ransomware and the Cerber 2 version.
Since its debut in February 2016, Cerber has been delivered via rolling waves of spam along with Magnitude, RIG and Nuclear Pack exploit kits. Cerber is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims. With this latest Cerber 2 release, not much has changed beyond affiliate usability features such as an updated domain synchronization for the ransomware’s HTML instructional landing page.
Check Point and IntSights said they were able to gain deep intelligence into the Cerber RaaS by monitoring the actual C2 communications between infected endpoint and servers operated by criminals.
“In the past this type of coordinated attacks were the work of nation state actors. Then it used to be attackers who were knowledgeable and technically skilled,” Horowitz said. Now, automated attack tools and RaaS networks have put cyberattacks in the reach of the masses. “Affiliates can buy exploits and rent the ransomware. They don’t need any technical knowledge or tools. They just need access to the Dark Web and pay someone for the services,” she said.
It estimates that just 0.3 percent of those infected with Cerber actually pay up. The country hit currently with the highest number of infections is South Korea, with the U.S. ranking fourth in terms of targeted countries.
According to researchers, exploit kit-based campaigns accounted for 41 percent of all Cerber infections with phishing emails, containing malicious attachments, accounting for the remaining infections. The Magnitude EK accounts for 84 percent of successful exploit kit infections, according to Check Point.