Cerber has a wide distribution, due in part to its successful use of leading exploit kits. By monitoring the actual C&C communications, we were able to create a complete view of the ransomware’s activity. Cerber is currently running 161 active campaigns, launching an average of eight new campaigns daily, which have successfully infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone. Perhaps the most intriguing aspect of the Cerber RaaS is its money flow. Cerber uses Bitcoin currency to evade tracing, and creates a unique Bitcoin wallet to receive funds from each of its victims. Upon paying the ransom (usually 1 Bitcoin, which is currently worth approximately $590), the victim receives the decryption key. The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage. By monitoring the data provided by the C&C servers, we were able to identify actual victim wallets, allowing us to effectively monitor payments and transactions involving each of these wallets. Our research also allowed us to track the actual revenue gained by the malware, as well as the path of financial transactions. The overall profit made by these Cerber RaaS campaigns in July 2016 was $195,000. The malware developer received approximately $78,000 and the rest was split between the affiliates, based on the amount of successful infections and ransom payments each campaign achieved. On an annual basis, the ransomware author’s estimated take is $946,000 – a hefty sum with few direct costs.