First International Workshop on Cyber Threat Intelligence (WCTI)

This week, the first International Workshop on Cyber Threat Intelligence took place in Hamburg, Germany. 40 participants from academia, industry and government discussed latest innovations, big challenges and future directions in CTI.

Cerber ransomware introduces malware coordination via the bitcoin blockchain

In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. We describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in real-time, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses.