A Novel Approach for Detecting DGA-based Ransomwares

Nowadays, hybrid cryptosystem ransomware, as well as botnets, utilize domain-generation algorithms to communicate with the command and control (C C) server to exchange public key and perform their malicious actions. We present an approach for detecting domain-generation-algorithm-based ransomware for the first time. By running instances of this type of ransomware in a test environment, we analyze their behavior, especially in the DNS traffic segment, which leads us to derive several behavioral characteristics. Among these features, we can point to random and gibberish characters in the requested domains; But using this feature is not easy as it can yield a lot of false positives. Our new and innovative approach to solving this challenge is to measure “Frequency of Different Domains Generation” and “Repetition of Same Domains in a Time Interval”. With the help of these criteria, we show that our method is more effective. The proposed approach can be used to detect botnets and other DGA-based malwares. Moreover, our approach detects ransomwares in their early phase of activity (i.e. before encrypting user data). Ultimately, we propose these features as a framework for identifying these ransomwares with high detection accuracy and low false positives rate.