RAPTOR: Ransomware Attack PredicTOR
This addresses the problem of ransomware prediction for cybersecurity practitioners, offering an incremental improvement by fusing signals for better forecasting.
The paper tackles the problem of predicting ransomware attacks by developing RAPTOR, a method that fingerprints attackers' operations and uses time series forecasting with malicious domain registrations as a signal. It demonstrated effectiveness by predicting 2,126 potential Cerber domains, with 378 later appearing in blacklists, improving forecasts of future Cerber activity.
Ransomware, a type of malicious software that encrypts a victim's files and only releases the cryptographic key once a ransom is paid, has emerged as a potentially devastating class of cybercrimes in the past few years. In this paper, we present RAPTOR, a promising line of defense against ransomware attacks. RAPTOR fingerprints attackers' operations to forecast ransomware activity. More specifically, our method learns features of malicious domains by looking at examples of domains involved in known ransomware attacks, and then monitors newly registered domains to identify potentially malicious ones. In addition, RAPTOR uses time series forecasting techniques to learn models of historical ransomware activity and then leverages malicious domain registrations as an external signal to forecast future ransomware activity. We illustrate RAPTOR's effectiveness by forecasting all activity stages of Cerber, a popular ransomware family. By monitoring zone files of the top-level domain .top starting from August 30, 2016 through May 31, 2017, RAPTOR predicted 2,126 newly registered domains to be potential Cerber domains. Of these, 378 later actually appeared in blacklists. Our empirical evaluation results show that using predicted domain registrations helped improve forecasts of future Cerber activity. Most importantly, our approach demonstrates the value of fusing different signals in forecasting applications in the cyber domain.