Image by Daoleduc via GettyImages.ca
Image by Daoleduc via GettyImages.ca

Canadians are among those who have fallen victim to a global ransomware-as-a-service scheme which targeted tens of thousands of users in 201 countries and territories in July alone, according to security researchers.

The researchers at Check Point Software and IntSights Cyber Intelligence of Israel released a report Tuesday saying the service, which it calls Cerber, is currently running 161 active campaigns with a total estimated profit of US$195,000 last month alone. In July an estimated 150,000 devices were infected. Each day an average of eight new campaigns on average are launched, Check Point says.

The developer claims an average of three per cent of victims give up and purchase the decoder for decrypting documents (apparently a bit of criminal inflation: Check Point says the number was closer to 0.3 per cent in July), with an average payment of US$500. That low value suggests most victims are private individuals. However,  the report says one subscriber has created several campaigns around emailed job applications that includes attached infected resumes. These campaigns target the United States, the U.K. and German-speaking countries including Germany, Austria, and Switzerland.

CISOs who by policy have locked down Microsoft Office by disabling macros some campaigns include instructions to those who click on attachments to manually enable the macro content so the document can be read.

The biggest percentage of victims so far are in South Korea (29 per cent), the U.S. (14 per cent), Taiwan (9 per cent) and China (eight per cent). However, Check Point says there’s evidence to support the developer’s claim that Americans are among the top people willing to pay up.

“The highly profitable business of ransomware is no longer reserved only for skilled attackers,” says the report. “Even the most novice hacker can easily reach out in closed forums to obtain an undetected ransomware variant and the designated set of command and control (C&C) infrastructure servers required to easily manage a successful ransomware campaign.”

Ransomware-as-a-service operates as any other cloud service. It first came to the attention Check Point in February on a darknet forum with ads — some in Russian — for potential actors to join the Cerber affiliates distribution program. In return, an affiliate receives earns 60 per cent of the profits from victims who capitulate to the Bitcoin ransom, with an additional five per cent for recruiting a new member to the program. The rest of the money goes to the developer.

A unique Bitcoin address is generated for each victim. The affiliate can change the initial ransom demand, which doubles after five days if not paid in full. Upon payment, the victim decoder can download a unique decryption tool for his machine. The developer says there is a “polite and friendly” online support service for subscribers, with a ticketing system embedded in the affiliate panel.

Typically attackers package Cerber in an infected email attachment delivered by popular exploit  kits such as Magnitude, Neutrino, and RIG — and some of these are delivered as exploit-as-a-service.

Graphic breaks down Cerber ransomware as delivered by exploit kit
Graphic breaks down Cerber ransomware as delivered by exploit kit

Cerber-infected machines report to a dedicated server to monitor the performance and efficiency of the malware by gathering statistics of current infections, payment procedures, and actual profit, says Check Point. To avoid detection of the server, the ransomware broadcasts each message to a wide IP range over UDP protocol — supposedly for security. But because the data is sent to a large number of addresses the report says it can be easily traced and monitored by every server in that range, allowing the vendor to decoded and collect accurate information about the ransomware’s activity.

Rather than funnel Bitcoin payments into one wallet, which could be tracked, the scheme uses a Bitcoin mixing service, according to the report, which allows the ransomware author to transfer Bitcoin and receive the same amount back to a wallet that cannot be associated with the original owner. The process mixes other users’ money, using tens of thousands of Bitcoin wallets.

The best ways organizations and individuals can protect themselves against ransomware is by being cautions before opening any attachments or clicking on links in email, and by regularly backing up data so a locked computer isn’t a disaster — the only loss is the hard drive if it can’t be re-formatted.