Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The latest ransomware threat: Doxware

Rishi Bhargava, Co-founder and VP Marketing, Demisto | Feb. 28, 2017
Like ransomware, doxware encrypts files, but also involves purloining copies

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

ransomware ts

As if ransomware wasn’t bad enough, there is a new twist called doxware.  The term "doxware" is a combination of doxing — posting hacked personal information online — and ransomware. Attackers notify victims that their sensitive, confidential or personal files will be released online. If contact lists are also stolen, the perpetrators may threaten to release information to the lists or send them links to the online content.

Doxware and ransomware share some similarities. They both encrypt the victim's files, both include a demand for payment, and both attacks are highly automated. However, in a ransomware attack, files do not have to be removed from the target; encrypting the files is sufficient. A doxware attack is meaningless unless the files are uploaded to the attacker's system. Uploading all of the victim's files is unwieldy, so doxware attacks tend to be more focused, prioritizing files that include trigger words such as confidential, privileged communication, sensitive or private. 

Although doxware attacks are likely to increase, this type of extortionware has its shortcomings:

  1. Doxware attacks tend to involve relatively small amounts of data. Most attackers do not have the resources to store millions of files, and the act of uploading a massive volume of files increases the risk of detection.
  2. Criminals want to maximize their return on investment, and doxware attacks are more costly to implement. For a doxware attack to be financially rewarding, attackers must research potential victims to determine whether the stolen data will have sufficient value. They must also have a plan for publishing the data if the victim chooses not to pay.
  3. Criminals potentially face increased risks for doxware attacks. Attackers need the infrastructure to host the stolen files and to release them online. This infrastructure could make tracing them easier.

Shortcomings aside, security analysts agree that doxware attacks are likely to increase over the next two years. So far the attacks have targeted businesses and high-profile individuals rather than the general public. However, that could change if attackers find ways to target smartphones or IoT devices.

One of the earliest doxware attacks, Ransoc, informed victims that files violating intellectual property rights or files containing child pornography were present on their computers; unless the victim remitted a payment, the authorities would be notified and the victim would be incarcerated. With access to more devices, attackers could refine doxware attacks that make it cost-effective to target individuals on a massive scale.

Protecting against doxware attacks

Businesses that suffer a doxware attack often feel there is no alternative but to pay the ransom. However, even making the payment does not always end the attack. If the attackers find information that is particularly valuable or embarrassing, additional demands may be made. Furthermore, there is no guarantee the criminals will not publish the files even after a company meets all of the payment demands.


1  2  Next Page 

Sign up for Computerworld eNewsletters.

blog comments powered by Disqus