The vast majority of active malware and ransomware families include some sort of communication with command and control systems (C&Cs). This connection allows them to receive their instructions, such as which institutions to target, the encryption keys for ransomware, and targets for DDoS bots.

Command and control systems are vital for the success of malicious campaigns, and they are analyzed in detail by security companies that work around the clock to shut them down. This results in a “cat and mouse” game between attackers employing new features to make the take down process more complex and time consuming, and security vendors that strive to protect their customers. Historically, C&C systems were hosted at IP addresses or host names hard-coded into malware samples. Disabling such services was often easy and quick, and as such, these kinds of malicious campaigns didn’t remain active for too long.

Attackers evolved from these fixed IPs and hosts to more complex methods: fast flux domains, lists of domain names, peer to peer communications, Tor services and DGA domains. Ransomware binaries need an encryption key known by the attacker and won’t encrypt victim files if they can’t communicate with a command and control system. Similarly, malware that can’t reach its C&C won’t relay stolen personal and financial information. Some ransomware families employ a DGA that generates 1,000 new domain names every day. Samples installed on victims’ computers try to resolve each of the domains in the list, one at a time, until it successfully communicates with a C&C. This strategy complicates the take down process because the attacker can register any of the 1,000 domains and that domain is good only for one day. Therefore, if today’s domain is taken down, the attacker has another 1,000 options tomorrow.

Recently, a new ransomware variant was found to include DDoS capabilities. The malicious artifact receives an encryption key as well as commands to produce DDoS attacks against other victims. This highlights the necessity of actively blocking access to domain names generated via DGAs, as well as to command and control URLs.

Malware Patrol tracks a large number of malware and ransomware families that employ DGAs. We provide threat data feeds and block lists, helping organizations protect their employees, customers and assets from infections and data exfiltration.

Andre Correa

Co-Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.