RAPTOR: Ransomware Attack PredicTOR

03/05/2018 ∙ by Florian Quinkert, et al. ∙ USC Information Sciences Institute University of Southern California 0

Ransomware, a type of malicious software that encrypts a victim's files and only releases the cryptographic key once a ransom is paid, has emerged as a potentially devastating class of cybercrimes in the past few years. In this paper, we present RAPTOR, a promising line of defense against ransomware attacks. RAPTOR fingerprints attackers' operations to forecast ransomware activity. More specifically, our method learns features of malicious domains by looking at examples of domains involved in known ransomware attacks, and then monitors newly registered domains to identify potentially malicious ones. In addition, RAPTOR uses time series forecasting techniques to learn models of historical ransomware activity and then leverages malicious domain registrations as an external signal to forecast future ransomware activity. We illustrate RAPTOR's effectiveness by forecasting all activity stages of Cerber, a popular ransomware family. By monitoring zone files of the top-level domain .top starting from August 30, 2016 through May 31, 2017, RAPTOR predicted 2,126 newly registered domains to be potential Cerber domains. Of these, 378 later actually appeared in blacklists. Our empirical evaluation results show that using predicted domain registrations helped improve forecasts of future Cerber activity. Most importantly, our approach demonstrates the value of fusing different signals in forecasting applications in the cyber domain.



There are no comments yet.


page 15

page 16

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Ransomware has emerged as a potentially devastating class of cybercrimes. In a ransomware attack, an adversary tricks victims into downloading malicious software that blocks access to their computer systems until a sum of money, or a similar ransom, is paid. Attacks on businesses have grown dramatically over the past few years. In the first quarter of 2017, Kaspersky blocked more than 240.000 ransomware infections on unique users’ computers and detected 11 new ransomware families and more than 55.000 variants. The most prevalent ransomware family was Cerber, which attacked more than 18% of the victims [1]. In May 2017, a vulnerability in Microsoft Windows operating systems exposed hundreds of thousands of computer systems worldwide to the WannaCry ransomware [2], causing widespread disruption of central infrastructure and services, including hospitals, police departments, etc.

The life-cycle of a ransomware attack is divided into two phases: an infection phase and a payment phase. In the infection phase, the attacker penetrates the victim’s computer, which is typically accomplished through malicious e-mails or via Websites infected with exploit kits (so called drive-by download attacks). In the case of phishing e-mails, the attacker sends an e-mail to the victim with a malicious attachment. When the victim opens the attachment, the computer gets infected, and the ransomware encrypts the victim’s hard drive with a strong encryption algorithm. In case of drive-by download attacks, an adversary injects a small piece of code into a legitimate Website so that visitors are directed to the landing page of an exploit kit. In most cases, these injections are performed by scripts that crawl and search for vulnerabilities in large amounts of Websites. The exploit kit checks the victim’s browser for vulnerabilities it can target and delivers the ransomware as payload, which then encrypts the victim’s hard drive.

After a successful infection, the ransomware displays a ransom note and demands a payment from the victim for the decryption key. In order to keep track of incoming payments, the ransom note contains one or more URLs to payment Websites. The URLs typically contain a static part and a variable part, which includes a unique identifier. As it is very important to the attacker to ensure anonymity of payments, the URLs either refer to a hidden service in the Tor network or to a Website in the clearnet which runs a service like Tor2Web, which enables users to visit Websites in the Tor network without a Tor browser (although without providing the strong anonymity features typical of Tor).

In most cases, the ransomware developer changes the static part of the URL regularly, which requires them to frequently register new domains. However, since the registration of new domains is a tedious task, most ransomware developers either rely on scripts for the registration process or use identifiable patterns during the registration that we can leverage in the analysis process.

In 2016, Hao et al. proposed a system called Predator

to predict whether a domain will be used maliciously, based on the features extracted at registration time, such as patterns of the registered domains 

[3]. Remarkably, 70% of the domains predicted by Predator were later observed in domain blacklists. However, Predator can only distinguish between malicious and benign domains and does not provide information about the purpose of a particular domain, e.g., whether it is used by a certain ransomware campaign.

In addition, patterns in the time series of ransomware activity may be useful for predicting future ransomware activity. These patterns may arise when developers continue to utilize a specific ransomware variant until antivirus defenses catch up, requiring them to develop a new variant. In addition, the events at different stages of ransomware life cycle are linked: attackers register new domains when they expect them to be needed, i.e., when attacks are taking place. Temporal correlations in ransomware activity, and between different stages of ransomware activity, have predictive value. The goal of time series prediction is to analyze historical activity to identify patterns, which can then be used to infer future activity.

Inspired by these observations, we present RAPTOR—Ransomware Attack PredicTOR—a novel framework to predict ransomware activity. RAPTOR consists of two closely interconnected components. The first component identifies potential ransomware domains at time-of-registration using the observed patterns, while the second component uses these domains as an external signal in time series forecasting to predict future ransomware activity.

In the first part of this paper, we describe how to learn features of malicious domains by leveraging information in registration logs, enriched with WHOIS information. We show that these features can effectively identify new malicious domains at the time of registration. Afterwards, we describe a method for time series forecasting that uses predicted malicious domains as an external signal to improve predictions of ransomware activity. We validate our approach by applying it to the popular Cerber ransomware.

In summary, we make the following contributions:

  • Malicious domain prediction: We demonstrate how ransomware campaigns can be characterized to extract features that are predictive of new malicious domains. More specifically, we focus on information available via the Domain Name System (DNS) and WHOIS to identify likely domains that will become active in the future.

  • Time series forecasting: We study how external signals can be added to time series forecasting to improve predictions of future ransomware activity.

  • Predicting ransomware domains: We evaluate RAPTOR with a detailed case study of the ransomware family Cerber. We show that both techniques can predict future events, and we were able to successfully predict 378 domains that eventually showed up in malware blacklists.

The paper is organized as follows. We review existing literature in Section 2. Next, we describe RAPTOR’s components in Section 3. Afterwards, we evaluate RAPTOR with reference to the ransomware family Cerber in Section 4 and conclude with a discussion of the findings and future directions in Section 5.

2 Related Work

Our work is based on previous research on domain life-cycle and time series prediction and we now briefly review related work to discuss how it relates to our approach. Additionally, we review existing literature about ransomware detection.

Domain life-cycle Recent research analyzed different misbehaviors related to domain registrations. Coull et al. described malicious domain registration techniques, such as domain tasting and domain front running [4]. Alrwais et al. examined domain parking services and detected click fraud, traffic spam and traffic stealing from the parked domains [5]. Szurdi et al. analyzed typosquatting in the top-level domain com

and estimated that about 20% of the registered domains were typosquatted domains 

[6]. Agten et al. analyzed typosquatting of the 500 most popular domains over seven months in 2013 and revealed that about 95% of the domains were targeted by typosquatting [7].

Besides reactively analyzing malicious domain activities, proactively determining domains registered for malicious activities received more attention in recent years. Felegyhazi et al. inferred features from a known bad domain and found 3.5 to 15 new domains, of which about 74% ultimately occurred in blacklists [8]. Hao et al. analyzed the domain registration process of domains used in spamming campaigns and inferred features to determine such domains already at time of registration [9]. Later on, Hao et al. presented Predator, a system to predict at time of registration whether domains will be used for malicious purposes [3]. We extend this line of work and demonstrate how it can be tailored to predict ransomware activity.

Time series prediction Developing a precise model for the dynamic behavior of time series is a challenging problem and an essential one for the success of forecasting methods. Researchers have extensively studied and used time-series analysis in many domains, such as finance [10], epidemiology [11], geophysics [12], and sociology [13]

. A popular strategy for analyzing time series data is using classical autoregressive models such as AR, ARMA, ARIMA, and ARIMAX 

[14, 12, 15]. Autoregressive models are widely used in intrusion detection, detecting DoS attacks, and network monitoring [16]. These models assume that the underlying data-generating process is linear, i.e., the value at a time point is a linear combination of the past values. However, real-world time series exhibit volatility and nonlinearity. A way to deal with the problem of volatility is to employ ARCH and GARCH, which are extensions of classical autoregressive models [17]

. To address the problem of nonlinearity, we can exploit state space models, such as hidden Markov models 

[18] and dynamic linear models [12]

. A hidden Markov model (HMM) assumes that the dynamics of a system at a time point are generated by one of the possible hidden states (unobserved regimes) evolving according to a Markov chain over time 

[17]. HMM models are exploited to infer interpretable threat trends and detecting attacks from time series data [19, 20].

Ransomware detection Ransomware is one of the most prevalent threats. Therefore, researchers recently proposed different mechanisms to detect ransomware. Kharaz et al. proposed UNVEIL, a system that detects ransomware by keeping track of typical ransomware behavior like massive encryption of files [21]. They were able to detect more than 13,000 malware samples from different families. Andronio et al. presented HELDROID, which searches for necessary ransomware components in mobile applications [22]. Continella et al. described ShieldFS, a filesystem add-on that detects and rolls back malicious changes [23]. Kolodenker et al. introduced PayBreak, a system that detects the usage of symmetric cryptography and stores the used session keys to provide the user access to the encrypted data [24].

In contrast to the presented related work, our approach focuses not on the detection of ransomware infections on a host system but on the forecasting of ransomware campaigns.

3 Raptor

For their attacks to scale, ransomware developers rely on scripts to automate (parts of) the ransomware life-cycle. Our goal is to characterize attackers by observing the traces their scripts and other malicious behaviors leave. The intuition is that these traces enable us to learn features that are predictive of new attacks. Specifically, we want to learn features which will allow us to predict—at the time of registration—whether a domain will eventually be used in a ransomware attack. We also want to predict how many such domains will be registered. In the following, we describe our approach, called RAPTOR, to address these challenges.

3.1 Ransomware Domain Prediction

We refer to domains right after registration as inactive and to those actually being used by ransomware developers as active. According to RFC 1034 [25], a zone file consists of resource records which contain the domain name, type, class, time to live, and RDATA fields. We download zone files on a daily basis from ICANN’s Centralized Zone Data Service (CZDS) [26] and compare the current zone file to the previous day’s zone file to identify newly added resource records.

Additionally, we collect active domains, which were used by a particular ransomware from blacklists, such as abuse.ch’s ransomware tracker [27]

. We use these domains together with known benign domains to train a supervised machine learning based classifier in order to predict which of the newly registered domains will be used by the ransomware.

Figure 1 shows a high-level overview of RAPTOR’s domain classifiers. In particular, we use two classifiers to predict which domains will be used by the ransomware First, we use a classifier which filters newly registered domains from the zone file diffs based on the domain structure and the nameservers, i.e., information obtained from the zone file itself (Step 1 Classifier). Afterwards, we collect WHOIS information about the remaining domains and use a second classifier to filter based on this information (Step 2 Classifier).

Figure 1: High-level overview of RAPTOR’s classifiers

We use the same sets of known malicious and known benign domains as training data for both classifiers. However, we use different features. The WHOIS service provides information about a domain, such as the registrant, the admin, and/or the time of registration [28]. Collecting large amounts of WHOIS information is a time-consuming task, since the WHOIS service stops serving responses after a small number of requests is sent by the same IP address in a short period of time. Additionally, the response’s structure is different for each top-level domain so that multiple parsers are necessary. Commercial vendors offer parsed WHOIS information for sale. However, in most cases the number of requests per day/month is rather small. We obtain our WHOIS information from a service called whoisxmlapi [29]. Therefore, we use the Step 1 Classifier to reduce the number of potential malicious domains, i.e., the number of necessary WHOIS requests, and the Step 2 Classifier to predict which domains are likely to be used maliciously by the particular ransomware. We refer to these domains as domain candidates.

The Step 1 Classifer and Step 2 Classifier use features shown in Table 1. Since ransomware developers use scripts to register a large number of domains, the features aim at finding patterns in the domain structure and WHOIS information of the training data to apply them on the newly registered domains. Features #1 - #7 focus on patterns that are directly inferrable from the domain name or WHOIS information. Features #7, #10 and #11 use common reuse of information during the registration process, whereas features #8 and #9 use common features of malicious domain registrations, such as a rather short registration time period.

Step 1 Classifier features Step 2 Classifier features
# Feature description # Feature description
1 Length of domain name 7 Registrant’s organ. is part of registrant’s name
2 At least one letter in domain name 8 Number of days a domain is registered for
3 Domain name consists only of digits 9 Weekday of registration
4 Number of distinct characters 10 Registrant’s fax equals registrant’s telephone
5 Hyphen in domain name 11 Registrant, admin and tech are equal
6 Domain name starts with number
Table 1: Features used in Step 1 / Step 2 Classifier

3.2 Time Series Prediction

The intuition behind time series prediction is that when events are correlated in time, then given a sequence of events, one can learn patterns of past events that are useful for predicting future events. For example, consider that a ransomware attack has already occurred. An existing attack increases the likelihood of another attack, since ransomware developers reuse the tools and kits to launch repeated attacks or attacks on new targets. Time series prediction techniques use historical data about events to learn a model of the process that produced these events. The model can, in turn, be used to predict new events. Below we describe how we apply two models widely used in time series prediction—the hidden Markov model and the autoregressive model—to address the challenge of modeling malicious behavior.

3.2.1 Prediction with the Hidden Markov Model

We propose to use a hidden Markov model (HMM) to predict malicious domains that will be involved in attacks. HMMs have been successfully used for example to model and predict attacks of terrorist groups [30]. In our context, the key idea of HMM is that the current number of events (e.g., detected domains) depends on past history of events through dominant hidden states, which represent different operational phases of the registration process. For example, the hidden states of a two-state HMM correspond to ‘low-activity’ and ‘high-activity’ processes, as shown in Figure 2. The process transitions probabilistically between a low-activity and high-activity states. While in a particular state, the process outputs some events according to a statistical distribution but with a state-dependent rate.

Figure 2: Hidden Markov model for ransomware domain registration.

Let be the observed sequence of events, e.g., the daily number of ransomware domain registrations or attacks, and be the underlying states of the process giving rise to the events . Here denotes the length of the time series, i.e., the sequence of events. An HMM is described by a set of hidden states (

), transition probabilities between the states (

), initial probabilities of the states (), and the emission probabilities of events conditioned on the hidden state (). The hidden states

are discrete-valued random variables. A transition between the states is Markovian, i.e., the future state is conditionally independent of the past states given the current state. In our problem setting, we consider the emission probabilities of events to be a continuous value from one of four possible distributions: Poisson, Gaussian, geometric, and Hurdle geometric. The generative process for the model is shown in Algorithm 


0.  A set of parameters.
0.  Number of domain registrations.
1.  Choose the initial state
2.  Draw each row of using Transition matrix for a user-defined

  Choose the emission probability distribution

4.  for each time  do
5.        if not the 1st day then
7.        Draw
Algorithm 1 Generator() for HMM

Estimating HMM Parameters The unknown parameters of the proposed HMM model are . No analytical solution exists for this model that maximizes the probability of the observed sequence (i.e., likelihood) [31]

. Hence, we applied an Expectation Maximization (EM) based algorithm (a.k.a Baum-Welch reestimation) to estimate the parameters of the model.

Predicting with HMM To predict the number of new events (i.e., ransomware domain registrations), we adopt a sliding window approach. We learn our model with data determined by a user-defined time window (e.g., 50 days) and forecast the expected number of events for the next day, to the last day of the time window. The expected number of events at time given is

where is the expected number of events at state .

3.2.2 Prediction with the ARIMA Model

We also present sliding-window based autoregressive models (ARIMA) for forecasting events, including reported domains in ransomware attacks. ARIMA stands for autoregressive integrated moving average. The key idea is that the number of current events () depends on the past counts and forecast errors. Formally, ARIMA(,,) defines an autoregressive model with autoregressive lags, difference operations, and moving average lags (see [12]). Given the observed series of events , ARIMA(,,) applies () difference operations to transform to a stationary series (). Then the predicted value at time point can be expressed in terms of past observed values and forecasting errors which is as follows:


Here is a constant, is the autoregressive (AR) coefficient at lag , is the moving average (MA) coefficient at lag , is the forecast error at lag , and

is assumed to be the white noise (

). .

We use maximum likelihood estimation for learning the parameters; more specifically, parameters are optimized with LBFGS method [32]. These models assume that are known and the series is weakly stationary. To select the values for we employ grid search over the values of and select the one with minimum AIC score. A key motivation for using ARIMA is that the model requires limited history for forecasting.

3.2.3 Prediction with the ARIMAX Model

ARIMAX (Autoregressive Integrated Moving Average with Exogenous variables) is an autoregressive model that leverages (optional) external signals. In this model, the observation at a particular time point depends on immediate past observations, past forecast errors, and external variables. Like ARIMA, ARIMAX is defined with three order terms: a) number of autoregressive order (), b) number of difference operations used to make the series stationary (), and c) number of moving average terms () (see [12]). Given the observed series of events and optional external features
,the model is defined as follows:


Here is the stationary series after difference operations, is a constant, is the autoregressive (AR) coefficient at lag , is the moving average (MA) coefficient at lag , is the forecast error at lag , is the coefficient for feature and is assumed to be the white noise.

We apply maximum likelihood and sliding window approaches for estimating model parameters and evaluation, respectively . Our motivation to use ARIMAX for predicting domains involved in ransomware activity is the observation of correlation between domain registration and detection of domains used by ransomware at various time lags. In addition to the requirement of limited history for prediction, this model harnesses external signals and is robust to the absence of historical data.

3.2.4 Base rate model

We compare our proposed methods discussed in Sec. 3.2.1 and Sec. 3.2.2 against a base rate model, which is a rolling average model: Rolling Average predicts that the number of future events will be the average number of past events over a time window .

3.2.5 Evaluation of time series models

We use three error measures for quantitative evaluation of our time series models: a) mean absolute error (MAE), b) root mean squared error (RMSE), and c) mean absolute scaled error (MASE) [33]. These measures are defined as follows in terms of forecasting error, , at time point , where and are the true and predicted values, respectively.

4 Evaluation

We have implemented a prototype of the approach discussed in the previous section in a tool called RAPTOR

. In the following, we evaluate our approach on the ransomware Cerber and conduct both a real-world case study incorporating zone files collected between August 2016 and May 2017, and a cross-validation with the domains already known to be used by Cerber. We evaluate both scenarios with reference to precision (number of true positives divided by sum of true and false positives), recall (true positives divided by expected true positives) and f1-score (the geometric mean of precision and recall). We also evaluate the time series models on the task of predicting the number of domains involved in Cerber attacks using the past time series of such domains, along with time series of malicious domains predicted by our method.

4.1 Ransomware Cerber

Cerber was first detected at the beginning of March 2016 [34]. It infects victims via both malicious spam e-mails [35] and exploit kit-infected websites [36]. Cerber encrypts the data on a victim’s computer with AES encryption and asks for a ransom to get the decryption key. The ransom note contains between one and four different URLs for the ransom payment. The URLs link either to TOR Onion Services, accessible only with the Tor browser, or to websites running the Tor2web service [37], which provides access to Tor Onion Services without using the Tor Browser.

The websites abuse.ch [27], broadanalysis [38] and malware-traffic-analysis [39] (referred to as data sources from here on) collect information about indicators of compromise (IOC) related to Cerber, such as domains or IP addresses. We download the domains used by Cerber on a daily basis and enrich them with information from the WHOIS database (obtained from a service called whoisxmlapi [29]). We call the domains included in this dataset known Cerber domains because they have been identified as Cerber domains in the past.

Domain Detection date
hjhqmbxyinislkkt.17rm9b.top 2017-05-20
hjhqmbxyinislkkt.1bas8q.top 2017-03-02
p27dokhpz2n7nvgr.1cbcpy.top 2017-02-02
avsxrcoq2q5fgrw2.1nsnuh.top 2016-12-21
Table 2: Examples of Cerber domains and detection dates

Table 2 shows four examples of known Cerber domains. A typical Cerber domain consists of a 16 character long third-level domain, followed by a six character long second-level domain, followed by a top-level domain:

The last time a known Cerber domain did not follow this schema was on December 5, 2016. Instead of a six character long second-level domain, Cerber used an .onion.to address. The usage of this domain provides access to the Tor2web service. However, this was the first time a divergent name schema was used since October 2, 2016 (eight characters long second level domain), so it is reasonable to assume the above schema is currently default for Cerber domains.

4.2 Dataset

As of May 31, 2017, we collected 1,459 known Cerber domains from our data sources abuse.ch, broadanalysis and malware-traffic-analysis. The bar chart in Figure 3 shows the daily number of registered and detected known Cerber domains, where “reg” (registered) refers to the domain registration date obtained from WHOIS information, and “det” (detected) means the number of domains published by our data sources on that particular day. Additionally, the figure shows the release dates of new Cerber versions.

The number of registered and detected domains is not evenly distributed. Especially after the release of version 2 (denoted as 2) [40] and version 3 (denoted as 3) [41], the number of detected domains increased considerably. Later on, Cerber released multiple major and minor versions in a short period of time so that it is challenging to link detected domains to a certain Cerber version. In 2017, Cerber released two minor versions Red 1.1 [42] and Red 1.2 [43] (Cerber stopped naming versions so that 1.1 and 1.2 are no official names). Later in 2017, Cerber developers released version 6 [44]. It is notable that especially in 2017, a high number of domains is registered only on a few days.

Figure 3: Number of detected and registered known Cerber domains per day

Additionally, we analyzed Cerber’s usage of third-level domains. It turned out that the 1459 known Cerber domains use only 20 different third-level domains. Figure 4 shows a selection of five of Cerber’s third-level domains. Cerber uses each third-level domain only for a limited period of time. At first glance, the third-level domain might look like a good indicator to distinguish different campaigns or versions. However, Cerber uses for example “p27dokhpz2n7nvgr”, a recent third-level domain, in a variety of different Cerber infections, i.e., via malicious spam emails [35] or exploit kits [36] from different campaigns. Further investigations showed that each third-level domain belongs to a hidden service in the Tor network.

Figure 4: Number of detected known Cerber domains which were used with the particular third-level domain per day

Our analysis of the known Cerber domains shows that Cerber uses 32 different top-level domains. However, only the two different top-level domains bid and top appear in significant numbers (bid: 551 domains, top: 741 domains). Additionally, some domains were added multiple times to our data sources, e.g., with different third-level domains. Therefore, the distinct number of domains differs: 459 bid and 621 top domains. Table 3 shows the number of top and bid domains detected per month between June 2016 and May 2017 (including double additions). According to our data sources, Cerber used the top-level domain bid mostly between August 2016 and October 2016. By the beginning of 2017, Cerber stopped using domains of the top-level domain bid. In contrast, Cerber used the top-level domain top predominantly in two periods between July 2016 and August 2016 as well as since November 2016 to this day. Therefore, we focus our further analysis only on the top-level domain top.

2016-06 2016-07 2016-08 2016-09 2016-10 2016-11 2016-12 2017-01 – 05
bid 0 2 157 268 78 33 13 0
top 9 187 101 3 12 97 97 236
Table 3: Number of detections per month for top-level domains bid and top

4.3 Predicting Malicious Domains

We evaluate RAPTOR within a real-world study that uses data from our data sources abuse.ch, malware-traffic-analysis and broadanalysis as training data, and zone file differences of the top-level domain top we collected over the last couple of months as test data. Specifically, we collected zone files from 2016/08/30, 2016/11/28, 2017/01/10 and 2017/01/16 until 2017/05/31 (due to technical issues, we missed the zone files from 2017/01/17, 2017/02/18 and 2017/05/14). However, the approach can handle missing zone files very well because the only difference is a higher number of newly registered domains in a difference between two non-consecutive zone files, i.e., a higher number of test data. Only when the time period between two zone files is very long, it is possible that in the meantime, domains were registered and already detected by our data sources. In such a case, our approach would predict the already detected domains because the approach is not aware that domains were already detected. We encountered this problem with the differences between 2016/08/30 and 2016/11/28 as well as 2016/11/28 and 2017/01/10, respectively. Nevertheless, we decided to incorporate those zone files in our evaluation because they reveal insights into an earlier phase of Cerber’s activity and further show the usefulness of our approach.

For each zone file difference, we identify the domains our data sources already published as known Cerber domains at the second date of the zone file difference. We use these domains, along with a similar number of benign, i.e., non-Cerber, domains to train the classifiers. Afterwards, we use the classifiers to filter the zone file difference and predict which domains will be used by Cerber in the future. From today’s point of view, we can search for the predicted domains in our data sources at a later date to evaluate the predictions.

Table 4 describes the overall results for the real-world study. We analyzed 132 zone file differences and reduced the total number of domains to 13,909 with RAPTOR’s Step 1 Classifier and to 2,126 Cerber domain candidates with the Step 2 Classifier. From 2016/08/30 until today, our data sources collected 459 distinct known Cerber domains in the top-level domain top. The domains predicted by RAPTOR’s Step 1 Classifier contain 386 of those domains (recall of 0.84). We target the low precision of 0.02 with RAPTOR’s Step 2 Classifier which reduces the number of predicted domains considerably, increases the precision to 0.17 and lowers the recall only negligible (0.82 compared to 0.84).

Category Amount
# analyzed zone file differences 132
# newly registered domains 12156927 *
# domains after Step 1 Classifier 13909
# verified domains Step 1 Classifier 386
# domains after Step 2 Classifier 2126
# verified domains Step 2 Classifier 378
* Three zone file differences contain a huge amount of domains which were only observed in a single zone file. Aditionally, WHOIS requests to a selection of those domains revealed that the domains are not registered. Therefore, it is feasible to assume that the registration of those domains was later canceled.
Table 4: Overall results of real world study

There are multiple reasons to explain the rather low precision values. First, we evaluate our prediction only against the Cerber domains detected by our data sources without any guarantee that those data sources are comprehensive and capture every used Cerber domain. Therefore, we developed a system to verify that even more domains than detected by our data sources are in fact used by Cerber. We periodically sent HTTP requests to the Cerber domain candidates and checked both the availability and if the response contained indicators of Cerber. For that purpose, we use the following URL and replace {cerber_candidate} with the Cerber domain candidates:

The first part is a recently used third-level domain. However, we detected that, with one exception, every other third-level domain works as well because Cerber forwards those requests to the recently used third-level domain. The last part is a personal ID of a victim we found with a Google search. This ID is necessary to access the payment website. If we receive a successful response, we can check if the title tag contains the word ”Cerber“ and, thus, make sure it is actually one of Cerber’s payment websites. Overall, we could verify 126 domains between February 2, 2017 and May 31, 2017. 99 of those domains were later added to the data sources so that we could verify another 27 domains to be used by Cerber.

Additionally, another reason explaining the low precision is the number of days between registration of a domain and addition to our data sources. Figure 5 shows our evaluation of the number of days between registration of a domain and addition to our data sources. It takes up to 60 days and on average 26 days pass by between registration and addition. Therefore, it is likely that additional domains we predicted will be added to our data sources in the future.

Figure 5: Number of domains and how many days after registration they were added to our datasources

Furthermore, ransomware developers register a large number of domains at once without necessarily using all of them. Thus, we might predict domains actually being registered by Cerber developers, but cannot verify them because they are not actively used yet by the attackers, which in turn lowers our precision.

4.3.1 Cross-Validation

Additionally, we perform a cross-validation to address the issues of the real-world study and show the feasibility of our approach. We use randomly chosen 10% of the known Cerber domains as well as 10% of the benign domains as test data and the remaining 90% of both known Cerber domains and benign domains as training data. In contrast to our real-world evaluation, the cross-validation features the advantage that the test data is labeled, i.e., we know whether a domain is a known Cerber domain or not so that we can immediately verify the prediction results of our approach. We perform the cross-validation 100 times and calculate precision, recall and f1-score for each run. Table 5 shows minimum, maximum and average values for precision, recall and f1-score.

The high precision shows that our approach has a very low false positive rate, which is especially desired because the vast majority of newly registered domains is not used by Cerber or ransomware in general. Therefore, the approach works well to filter out the irrelevant newly registered domains. Additionally, the high recall reveals a good ability to find Cerber domains. Furthermore, it shows that the low recall in the real-world evaluation is biased by the high number of not verifiable domains.

min. max. avg.
precision 0.90 1.00 0.96
recall 0.66 0.84 0.75
f1-score 0.79 0.90 0.85
Table 5: Precision, recall and f1-score for cross-validation

4.4 Predicting Detected Domains

We use the time series forecasting models HMM, ARIMA, and ARIMAX (see Sec. 3.2), to predict the daily number of domains involved in Cerber attacks that will be detected by our data sources (i.e., Cerber attacks). We collect and curate the time series of domains involved in Cerber attacks from the data sources described in Sec. 4.1 for the period between August 30, 2016 and May 31, 2017. We leverage the output (time series of domain registrations) of our malicious domain prediction method (see Sec. 4.3) as an external signal. We align the external signal with the Cerber attacks using correlation analysis [45]. ARIMAX exploits both historical time series of domains involved in Cerber attacks and the external signals, whereas the baserate, HMM, and ARIMA only use the time series of domains involved in Cerber attacks for prediction.

For prediction, we divide the time series of domains involved in attacks in the data sources into training (first 60% of data) and test (last 40% of data) sets. We learn the models’ parameters on the training set and forecast the expected number of detected domains involved in Cerber attacks for the next seven days (in the test set). We then shift the training window to the right by seven days and repeat the procedure. We pick the training window, number of hidden states, emission probability distribution, and orders of autoregressive models using a grid search for best scores. Fig. 6 shows the expected number of domains involved in attacks predicted with the three proposed methods and a base rate model. For Fig. 6, we use an HMM with two hidden states and Poisson emission probability, and for ARIMA and ARIMAX, we apply a grid search over to identify the optimal model in terms of AIC score. Table 6 presents corresponding quantitative comparisons between three methods. ARIMAX outperforms other models for Cerber type ransomware attacks. This results demonstrates that exploitation of external signals helped ARIMAX better forecast when there is not historical data for attacks.

Figure 6: Forecasting the number of detected Cerber ransomware domains using HMM, ARIMA, ARIMAX, and a base rate model. This figure illustrates the predicted values over the test set (last 40% of the time series data) using sliding window approach with look-ahead of 7 days. Here HMM with two hidden states and Poisson emission probability is used, and optimal ARIMA and ARIMAX models are identified using grid search over parameters.
Measure Baserate HMM_Poisson ARIMA ARIMAX
MAE 2.05 2.15 1.81 1.66
RMSE 2.41 2.83 2.37 2.10
MASE 1.11 1.16 0.98 0.90
Table 6: Forecasting of Cerber ransomware attacks using hidden Markov model (HMM) and autoregressive models (ARIMA and ARIMAX). Methods are compared in terms of different performance metrics: mean absolute error (MAE), root mean squared error (RMSE), and mean absolute scaled error (MASE).

5 Discussion and Conclusions

The rising popularity of ransomware has challenged the ability of antivirus companies to keep up with the proliferation of malware variants. This was dramatically demonstrated on May 17, 2017, when a vulnerability in Microsoft Windows operating systems enabled a massive attack by the WannaCry ransomware that crippled infrastructure and emergency services in many countries around the world. The growing ransomware threat calls for new defensive solutions.

In this paper, we presented RAPTOR, a promising approach that relies on predicting properties of ransomware attacks. Our approach leverages an intuition that attackers facilitate their attacks through some processes. By fingerprinting these processes, we can model the behavior of the attackers and use the models to predict future attacks. To paraphrase an old saying, “foreknowledge is the best defense”. Anticipating properties of future ransomware attacks, or even simply their number, can help enterprises and individuals to better manage their resources defending against attacks. For example, knowing there will be a spike in the number of ransomware attacks in the coming days can lead enterprises to deploy additional spam detection services and warn their users to be vigilant.

Our approach is based on the life-cycle of an attack. First, attackers need to infect the victim’s system; then, they need the compromised system to communicate with their payment infrastructure to receive the ransom. To remain clandestine, this requires attackers to continuously register new domains. In a first step, RAPTOR learns features common to malicious domains by looking at structure and WHOIS information of example domains involved in ransomware attacks. Then, by monitoring newly registered domains, we can flag the ones that exhibit the incriminated features.

We built upon the intuition that the attackers’ actions are not random and independent, but temporally correlated. Thus, in a second step, RAPTOR uses time series prediction methods to learn a model of an attacker based on historical events, and use the model to predict when domains are involved in attacks. We described several algorithms used in time series analysis—HMM and ARIMA—which we applied to model the prediction of the number of domains involved in detected attacks. These algorithms take as input historical sequences of events (registrations or detections) and predict the likely number of new events. Moreover, we described another algorithm—ARIMAX—that uses predicted malicious domains as an external signal in time series prediction in addition to historical sequences of events.

We evaluated RAPTOR by applying it to predict the stages of Cerber, a popular ransomware. By applying our feature extraction approach to zone files of the top level domain over a period starting from August 30, 2016 to May 31, 2017, we predicted 2,126 Cerber domain candidates. Of those domains, 378 were later confirmed to be malicious, due to their appearance in our data sources abuse.ch, broadanalysis and malware-traffic-analysis. In addition, by sending requests to the domains on a periodic basis, we additionally verified that Cerber used 126 of these domain candidates. However, only 99 of them were later published by our data sources and are already included in the 378 domains mentioned above. Hence, 27 of the domains used by Cerber were not detected by any of our data sources, which supports our assumption that Cerber uses more domains than detected by our data sources. The remaining registered but not verified domains have not been used yet. Nonetheless, Cerber starts using earlier-registered domains on a daily basis, thus the number of verified domains is likely to increase in the future. Additionally, the cross-validation showed that RAPTOR has in contrast to the real-world evaluation a very low false positive rate.

Additionally, characteristics of ransomware domains pose challenges for time series prediction. As can be seen in Fig. 6, Cerber ransomware activity changed dramatically at the beginning of 2017. This non-stationarity makes leveraging old patterns difficult. This kind of volatility is a possible reason for HMM not performing as well as other methods.

While promising, these approaches have limitations. The feature extraction based approach showed very good precision. However, an adversary ransomware developer could avoid detection by using, at the time of domain registration, different domain name schemes and WHOIS information that is hard to cross-reference. However, it is difficult to register a high number of domains in an automated way without having any detectable patterns. Time series prediction, while being flexible and generalizable to new domains, also has limitations. Data sparsity remains a challenge for time series prediction methods: when there is not enough signal, results are not reliable. However, despite these shortcomings, forecasting cyber threats remains a promising new tool for cyber defense.

6 Acknowledgments

This project was funded by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0112. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government.


  • [1] Securelist: It threat evolution q1 2017. statistics. https://securelist.com/78475/it-threat-evolution-q1-2017-statistics/ (2017) Accessed: 2018-02-16.
  • [2] Kryptoslogic: Wannacry: Two weeks and 16 million averted ransoms later. https://blog.kryptoslogic.com/malware/2017/05/30/two-weeks-later.html (2017) Accessed: 2018-02-16.
  • [3] Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: Proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM (2016) 1568–1579
  • [4] Coull, S.E., White, A.M., Yen, T.F., Monrose, F., Reiter, M.K.: Understanding domain registration abuses. In: IFIP International Information Security Conference, Springer (2010) 68–79
  • [5] Alrwais, S.A., Yuan, K., Alowaisheq, E., Li, Z., Wang, X.: Understanding the dark side of domain parking. In: USENIX Security. (2014) 207–222
  • [6] Szurdi, J., Kocso, B., Cseh, G., Spring, J., Felegyhazi, M., Kanich, C.: The long” taile” of typosquatting domain names. In: USENIX Security. (2014) 191–206
  • [7] Agten, P., Joosen, W., Piessens, F., Nikiforakis, N.:

    Seven months’ worth of mistakes: A longitudinal study of typosquatting abuse.

    In: Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), Internet Society (2015)
  • [8] Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. LEET 10 (2010) 6–6
  • [9] Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 conference on Internet measurement conference, ACM (2013) 63–76
  • [10] Lendasse, A., De Bodt, E., Wertz, V., Verleysen, M.: Non-linear financial time series forecasting-application to the bel 20 stock market index. European Journal of Economic and Social Systems 14(1) (2000) 81–91
  • [11] Chakraborty, P., Khadivi, P., Lewis, B., Mahendiran, A., Chen, J., Butler, P., Nsoesie, E.O., Mekaru, S.R., Brownstein, J.S., Marathe, M.V., et al.: Forecasting a moving target: Ensemble models for ili case count predictions. In: Proceedings of the 2014 SIAM international conference on data mining, SIAM (2014) 262–270
  • [12] Shumway, R.H., Stoffer, D.S.: Time series analysis and its applications: with R examples. Springer Science & Business Media (2010)
  • [13] Box-Steffensmeier, J.M., Freeman, J.R., Hitt, M.P., Pevehouse, J.C.: Time series analysis for the social sciences. Cambridge University Press (2014)
  • [14] Box, G.E., Jenkins, G.M., Reinsel, G.C., Ljung, G.M.: Time series analysis: forecasting and control. John Wiley & Sons (2015)
  • [15] Prado, R., West, M.: Time series: modeling, computation, and inference. CRC Press (2010)
  • [16] Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., Tarvainen, M.: Processing intrusion detection alert aggregates with time series modeling. Information Fusion 10(4) (2009) 312–324
  • [17] Douc, R., Moulines, E., Stoffer, D.: Nonlinear time series: theory, methods and applications with R examples. CRC Press (2014)
  • [18] Rabiner, L., Juang, B.: An introduction to hidden markov models. ieee assp magazine 3(1) (1986) 4–16
  • [19] Kim, D.H., Lee, T., Jung, S.O.D., In, H.P., Lee, H.J.: Cyber threat trend analysis model using hmm. In: Information Assurance and Security, 2007. IAS 2007. Third International Symposium on, IEEE (2007) 177–182
  • [20] Ye, N., Zhang, Y., Borror, C.: Robustness of the markov-chain model for cyber-attack detection. IEEE Transactions on Reliability 53(1) (2004) 116–123
  • [21] Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K., Kirda, E.: Unveil: A large-scale, automated approach to detecting ransomware. In: USENIX Security Symposium. (2016) 757–772
  • [22] Andronio, N., Zanero, S., Maggi, F.: Heldroid: Dissecting and detecting mobile ransomware. In: International Workshop on Recent Advances in Intrusion Detection, Springer (2015) 382–404
  • [23] Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., Maggi, F.: Shieldfs: A self-healing, ransomware-aware filesystem. In: Proceedings of the 32Nd Annual Conference on Computer Security Applications. ACSAC ’16, New York, NY, USA, ACM (2016) 336–347
  • [24] Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: Defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ASIA CCS ’17, New York, NY, USA, ACM (2017) 599–611
  • [25] Mockapetris, P.: Rfc 1034. https://tools.ietf.org/html/rfc1034 (1987) Accessed: 2018-02-16.
  • [26] ICANN: Centralized zone data service. https://czds.icann.org/en (2017) Accessed: 2018-02-16.
  • [27] Abuse.ch: ransomwaretracker.abuse.ch. http://ransomwaretracker.abuse.ch (2017) Accessed: 2018-02-16.
  • [28] Daigle, L.: Rfc 3912. https://tools.ietf.org/html/rfc3912 (2004) Accessed: 2018-02-16.
  • [29] API, W.: whoisxmlapi.com. http://whoisxmlapi.com (2017) Accessed: 2018-02-16.
  • [30] Raghavan, V., Galstyan, A., Tartakovsky, A.G., et al.: Hidden markov models for the activity profile of terrorist groups. The Annals of Applied Statistics 7(4) (2013) 2402–2430
  • [31] Rabiner, L.: A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2) (1989) 257–286
  • [32] Seabold, S., Perktold, J.: Statsmodels: Econometric and statistical modeling with python. In: Proceedings of the 9th Python in Science Conference. Volume 57. (2010)  61
  • [33] Hyndman, R., Koehler, A.: Another look at measures of forecast accuracy. International journal of forecasting 22(4) (2006) 679–688
  • [34] Bleepingcomputer: The cerber ransomware not only encrypts your data but also speaks to you. https://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/ (2016) Accessed: 2018-02-16.
  • [35] traffic analysis, M.: Malspam example. http://www.malware-traffic-analysis.net/2017/01/23/index2.html (2017) Accessed: 2018-02-16.
  • [36] Broadanalysis: Exploit kit example. http://www.broadanalysis.com/2017/01/22/rig-v-exploit-kit-via-pseudodarkleech-from-109-234-35-244-delivers-cerber-ransomware/ (2017) Accessed: 2018-02-16.
  • [37] Tor2Web: Tor2web. https://www.tor2web.org/ (2017) Accessed: 2018-02-16.
  • [38] Broadanalysis: broadanalysis.com. http://broadanalysis.com (2017) Accessed: 2018-02-16.
  • [39] traffic analysis, M.: malware-traffic-analysis.net. http://malware-traffic-analysis.net (2017) Accessed: 2018-02-16.
  • [40] Bleepingcomputer: Cerber ransomware version 2 released, uses .cerber2 extension. https://www.bleepingcomputer.com/news/security/cerber-ransomware-version-2-released-uses-cerber2-extension/ (2016) Accessed: 2018-02-16.
  • [41] Bleepingcomputer: Cerber ransomware switches to .cerber3 extension for encrypted files. https://www.bleepingcomputer.com/news/security/cerber-ransomware-switches-to-cerber3-extension-for-encrypted-files/ (2016) Accessed: 2018-02-16.
  • [42] Sensortechforum: Remove red cerber ransomware’s 2017 update. http://sensorstechforum.com/remove-red-cerber-ransomwares-2017-update/ (2017) Accessed: 2018-02-16.
  • [43] Sensortechforum: Help_help_help used by cerber ransomware’s latest 2017 update. http://sensorstechforum.com/help_help_help-used-cerber-ransomwares-latest-2017-update/ (2017) Accessed: 2018-02-16.
  • [44] Bleepingcomputer: Cerber ransomware version 6 gets anti-vm and anti-sandboxing features. https://www.bleepingcomputer.com/news/security/cerber-ransomware-version-6-gets-anti-vm-and-anti-sandboxing-features/ (2017) Accessed: 2018-02-16.
  • [45] Rabiner, L., Gold, B.: Theory and application of digital signal processing. Englewood Cliffs, NJ, Prentice-Hall, Inc., 1975. 777 p. 1 (1975)