Chapter 7. Cerber

Cerber is the perfect ransomware family to highlight here because it is a good representation of the second generation of ransomware. Some of the characteristics of the Cerber ransomware include:

  • The team behind it is well funded.
  • There is a short release cycle between versions.
  • There is a formal development process, which results in quality code.
  • The team behind Cerber is constantly investigating new methods to avoid detection.

With a few notable exceptions, the first generation of ransomware families were thrown together in an ad hoc manner and delivered haphazardly. There was little organization behind many of the early ransomware teams. Now that more established hacking groups have seen the kind of money ransomware campaigns can raise, that is starting to change. Cerber is the result of that change: an established hacking team diverts resources from other types of attacks and focuses on ransomware.

Cerber is an interesting ransomware family because the hacking team behind Cerber, who are suspected to be out of Russia, are nimble and quick to adapt to new ways of delivering their ransomware. They have also created a highly successful affiliate program. So successful that Checkpoint estimates that in July 2016, Cerber earned $195,000 across all affiliates, with a 40% cut, which means the hacking group behind Cerber earned $78,000—in one month.1 Checkpoint estimates that the attackers behind Cerber have earned more than $950,000 in the last year.

Cerber got ...

Get Ransomware now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.