What is Doxware? (And Do I Really Need to Worry?)
Doxware is a ransomware variant with a dark(er) twist: while the underlying technology between doxware and ransomware is virtually identical, the key difference lies in the human behavior of the perpetrators and in the consequences for the victims.
Even if you haven't heard the term 'doxware' before, you're almost certainly familiar with some of the big businesses who have been victims of this cybercrime, like Netflix or Ashley Madison. The concept was also portrayed (albeit without using the term) in the popular series Black Mirror. Doxware is the newest evolution in malware. What makes doxware different than ransomware, and how can you protect yourself—and your data?
Start with the Basics: What is Doxing? How Does It Relate to Malware?
To understand doxware, you first have to understand 'doxing' (sometimes spelled 'doxxing.') To dox someone is to reveal their identity online. The term is shortened from 'documents,' referring both to the paper trail used to find someone's identity, and the identifying documents that are often publicly and embarrassingly released in a doxing attack.
Doxing can be personal, tying a public persona to their private habits by releasing embarrassing or revealing personal information, like photos; or it can be an impersonal crime, releasing sensitive data en masse like bank accounts or social security numbers. Over the past decade, doxxing has been a popular method used by internet vigilantes to punish their perceived enemies, sometimes to general applause, sometimes with disastrous consequences.
The actual malware component of doxware is functionally the same as any other ransomware. . A doxware virus seizes files from a targeted computer, or many targeted computers and servers. The difference lies in the consequences, should the victim choose not to pony up the ransom. After infecting the computer and encrypting the files, the owner of the doxware demands a ransom: without payment, the files will be made public.
How Does It Work?
Like other forms of malware, doxware makes its way to a targeted computer in the form of an infected file, sometimes hidden in an e-mail attachment, or through an infected website. Once inside, much of the process is automatic: older versions of ransomware, once downloaded, would upload and encrypt files en masse, but newer variations run a script to look for more specifically personal or embarrassing files (i.e. keywords like "nude") as well as personal contacts.
The attacker will demand a ransom, commonly through an anonymous untraceable internet currency such as Bitcoin. If the attacker goes through with their threats, the data is uploaded to an anonymous plaintext site like pastebin, or sent directly to a victim's contact list over e-mail, Facebook, or Skype.
It can take months before a victim finds out they've been infected—all the while, their computer has been a vector for the virus.
How Is That Different From Ransomware or Extortionware?
The line between ransomware and doxware is blurry enough that the terms are sometimes used interchangeably; however, the difference is in the final steps. Ransomware is held for, well, a ransom, rendering the files useless unless they are bought back, while doxware comes with the specific threat of making specific files public, such as when TheDarkOverlord released episodes of popular Netflix series Orange is the New Black.
Additionally, most ransomware targets an entire hard drive, while doxware goes after specific keywords that are likely to contain private, sensitive data that the owner would not want broadcast (pin numbers, bank accounts.)
In less digital terms, ransomware is robbery, while doxware is blackmail. All of it falls under the umbrella term Extortionware.
Why Does This Matter to Me Now?
In 2016, ransomware attacks increased by 6000% over 2015, with 70% of those affected agreeing to pay the ransom. However, ransomware attacks have been steadily earning less for their attackers; while ransomware attacks like WannaCry and NotPetya made a lot of headlines this year, they were not as lucrative for the hackers who unleashed them, only making $149,545 and $11,181, respectively. Why?
As companies get savvier about security, more are backing up their mission critical files, making a ransom for their safe return less appealing: why pay a ransom when you can just wipe and reboot? Because of this, digital criminals have had to stay a few steps ahead. While companies that have safely backed up their information might be willing to lose files, fewer are willing to see those files go public. The PR damage might make the ransom worth it.
How to Protect Against an Attack
If you do find yourself the victim of a doxware attack:
- Report it to the authorities. The FBI has a specific department to handle cyber crimes, and any detail can be helpful for an open case.
- Don't pay the ransom. Success is encouragement for future attacks, and there is no guarantee the attackers will hold up their end of the bargain once payment is received; it's nearly impossible to trace currencies like Bitcoin to the source, so if this doxware had many victims, the attackers have no way of linking your payment to your files.
Unfortunately, your options are limited once your files are encrypted. Like many other cyber crimes, your best defense is to prevent it from happening in the first place:
- Back up your data. Back up mission critical data every day to the Cloud or to an offline device.
- Educate on safe internet habits. 95% of security breaches have "human error" as a contributing factor; make sure employees are up to date on not clicking on phishing emails or suspicious websites and participate in monthly "phishing" drills.
- Make your network security proactive. This ExtraHop WannaCry bundle was released in the wake up of the now infamous WannaCry and Petya attacks and watches for anomalies related to doxware and other forms of malware.
As the amount of money at stake grows, doxware will continue to grow in scale and sophistication. Your best offense, in this case, is a good defense.