Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware

Stijn Pletinckx, Cyril Trap, Christian Doerr

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

18 Citations (Scopus)


In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. Domain generation algorithms (DGA) generate a list of candidate domain names, each valid for only a short time, at which the malware installation searches for its command & control (C&C) server. As DGAs generate a large list of potential domains - out of which one or a few is actually in use -, they leave a characteristic trace of many failed DNS lookups (NXDomain) in the network, and in result most DGAs can be efficiently detected. In this paper we describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in realtime, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses. We describe the concept of coordination via the blockchain, and report results on a year-long observation of the assets used in the Cerber campaign.
Original languageEnglish
Title of host publication2018 IEEE Conference on Communications and Network Security (CNS)
Place of PublicationPiscataway, NJ
Number of pages9
ISBN (Electronic)978-1-5386-4586-4
ISBN (Print)978-1-5386-4587-1
Publication statusPublished - 28 May 2018
Event2018 IEEE Conference on Communications and Network Security - Beijing, China
Duration: 30 May 20181 Jun 2018


Conference2018 IEEE Conference on Communications and Network Security


  • threat intelligence
  • blockchain
  • ransomware
  • C&C
  • domain-generation-algorithm
  • campaign analysis


Dive into the research topics of 'Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware'. Together they form a unique fingerprint.

Cite this