What is Doxware?
Doxware is a ransomware variant that not only encrypts victims’ data and holds it hostage until a ransom is paid, often with Bitcoins, but, unlike traditional ransomware, also threatens to publicly expose sensitive information such as emails, conversations, photos, social security numbers, etc. If the ransom is not paid in specified time frame, the data is often released publicly creating reputational harm to a person or business.
How the name “Doxware” came about:
The term “dox” (or “doxx”) is the alteration of docs, plural of doc (short for document) first came into dictionary as a verb early 21st century, referring to malicious hackers’ habit of searching for and publishing private or identifying information about (a particular individual) on the Internet, typically with malicious intent.
Doxing is the online practice of researching and broadcasting identifiable information (e.g. name, address, telephone number, social security number, etc.) of individuals or organizations.
“Ware” came from the term “malware” and “ransomware,” which identifies the vehicle for a cyber attack.
The terms combined create “Doxware”.
How doxware is different than ransomware:
When a user downloads and executes the malicious payload, a hacker is able to hijack information from the user’s computer and store it; the biggest threat here is not the encryption of the stolen data as it is with ransomware (albeit, hybrid attacks do exist), but rather the fact that the attacker will use the disclosure of this data as a lever for the user to pay the ransom. Differently than ransomware, the data might still be available to the user and things are not solved by decrypting it, the threat becomes a continuous source of potential revenue for the hacker since the stolen data is still in the criminal’s possession and ongoing threats to reveal it might become a far more pervasive threat than just the encryption of it.
History and rise of doxware:
One of the earliest doxware attack variants to emerge in the wild goes by the name “Ransoc.” The malware informs the victim they have sustained a penalty because their computer allegedly contains child sexual abuse materials and items that violate intellectual property rights. The malware then informs the victim that they will go to jail unless they pay a ransom. Ransoc also runs several schedule attacks that interact with Skype, LinkedIn and Facebook. The doxware then harvests information and photos it finds on those profiles and threatens to publish everything if payment is not received.
One of the most important factors that have positively affected the rise of doxware is the appearance of easy payment methods. In ancient days, cyber criminals tended to use either legitimate payment systems or semi-legitimate services in order to transfer money to each other and from their victims. The problem for criminals is that legitimate payment systems, reacting to the rise in fraudulent payments, have started to track and block suspicious transactions, making money transfer a far more risky business for cyber-crooks. That is why money transaction for cyber criminals has always been an area of risk. But things changed significantly when the price of crypto-currencies ‘Bitcoin’ rose and stabilized enough to allow a lot of users to convert real money. Criminals have started to exploit the advantages crypto-currencies over other type of e-currency: anonymity and a distributed nature, which both allow them to hide fraudulent transactions and make it impossible for a law enforcement agency to do anything, as the system has no center and no owner. These features help to support individual privacy rights but, unfortunately also give cyber criminals a very reliable and secret payment tool. The main outcome of this is that ransomware has become the new black in the underground.
How doxware spreads:
Doxware attacks function by breaching information processing systems, usually through infected email, and locking important files or networks until the user pays a specified amount of money. Many companies have figured out that they can avoid paying these ransoms by wiping a system clean, restoring it with backup data, and going about business without being held hostage. But doxware is the malware that combines ransomware with a personal data leak! With doxware, hackers hold computers hostage until the victim pays the ransom, similar to ransomware. But doxware takes the attack further by compromising the privacy of conversations, photos, and sensitive files, and threatening to release them publicly unless the ransom is paid. Because of the threatened release, it’s harder to avoid paying the ransom, making the attack more profitable for hackers.
Impact of doxware on business:
First and foremost impact on business is because users pay. It seems that in recent years regular users and companies have reached the point where the information stored on their PC is valuable enough to consider paying a ransom on demand. The massive transition in organizations towards the use of digital documents and automated business processes for accounting and other day-to-day activities is helping to accelerate this. A company whose regulatory compliance report, for example is encrypted with ransomware just before the deadline for submitting the reports to the regulatory body, has no choice but to pay the ransom – and this is what criminals exploit. As a result, crypto-ransomware has become, almost uniquely, a type of malware that can cause tangible business damage by making critical operational files unreadable. This damage cannot not always be rolled back, so sometimes paying the ransom is the only way to retrieve the data.
In 2014, Sony Pictures suffered an email phishing malware attack that released private conversations between top producers and executives discussing employees, actors, industry competitors, and future film plans, among other sensitive topics. And ransomware attacks have claimed a number of recent victims, especially healthcare systems, including MedStar Health, which suffered a major attack affecting 10 hospitals and more than 250 outpatient centers in March 2016. Combine the data leak of Sony and the ransomware attack on MedStar and we can see the potential fallout from a doxware attack.
Looking at the data leaked from Sony, it’s easy to imagine the catastrophic effect doxware would have on an executive of any major corporation. Company leaders hold countless conversations over email each day on sensitive topics ranging from product development to competition to internal politics, and if there’s a doxware attack, the fallout could be extensive.
Tips for combating doxware:
- Back-up is a must. Upon the infection of your corporate PCs, the ransomware is likely to start encrypting files that are required for the daily work of your company. If it is technically impossible to back-up all the files you have in the corporate network, choose the most critical documents and files, isolate them and back-up regularly.
- Use a reliable, corporate-grade security solution and don’t switch off its advanced features, as these enable it to catch unknown threats.
- Keep the software on your PC up-to-date.
- Keep an eye on files you download from the Internet.
- Educate your personnel, very often the ransomware infection happens due to a lack of knowledge about common cyber threats and the methods criminals use to infect their victims.
- Undertake regular patch management.
- Avoid paying a ransom and report the attack to authorities.
Now-a-days, doxware ransomware has become a growing concern for companies in every industry. Many companies have figured out that they can avoid paying these ransoms by wiping a system clean, restoring it with backup drives, and going about business without being held hostage. But as a result of increased doxware threat, cyber criminals have created an even more insidious weapon to which cybersecurity pros must contend with.