Doxware Leaks Your Private Data if You Don’t Pay the Ransom

Ransomware began grabbing headlines about a year ago, after Hollywood Presbyterian Medical Center paid hackers thousands of dollars in ransom after it got locked out of its systems. This large payday apparently encouraged hackers to keep going; a recent survey showed that about half of all businesses reported being victimized by ransomware at least once in the previous 12 months, and a stunning 85% had been hit three or more times. Because ransomware is now ubiquitous, organizations have learned to fight back by restoring their systems from backup drives, thus avoiding having to pay a ransom. Unfortunately, hackers are fighting back, too, using a combination of ransomware and extortionware called doxware.

A doxware attack unfolds similarly to ransomware: Victims attempt to log on to their computers and are greeted by a screen notifying them that their system has been locked down and demanding that a ransom be paid, usually in Bitcoin, for the code to get back in. However, doxware goes a step further, not only locking the system down but also threatening to expose the user’s private or sensitive data. This renders restoring the system from a backup ineffective because it will solve only half the problem.

One known doxware strain notifies users that it has compromised all of their login credentials, contacts, and Skype history onto a server and threatens to forward it to all of the user’s contacts unless the ransom is paid. Other variants are programmed to search the user’s system for files containing keywords that might indicate embarrassing content, such as “nude” or “sex.” In a unique twist aimed at self-propagation, a variant called Popcorn Time gives victims an alternate to paying the ransom: Infecting two of their friends with the malware.

As both Sony Pictures and the Democratic National Committee learned the hard way after their corporate emails were hacked and published on WikiLeaks, having embarrassing information go public can ruin reputations and derail careers. Additionally, the release of scandalous material isn’t the only thing organizations need to worry about; doxware could be set up to target trade secrets, intellectual property, and other confidential information that could be ruinous to a business if it were released. For hackers, this represents the “value proposition” of doxware over ransomware: The fear of financial ruin makes it far more likely that doxware victims will cave in to hackers’ ransom demands or even agree to infect their friends in order to get off the hook. Of course, there is no guarantee that the criminals demanding the ransom will keep their word and not release the information, anyway.

How serious is the doxware threat?

Right now, doxware is a new threat, and attacks have been confined to Windows computers and laptops, but this particular attack vector is so potentially lucrative, there’s no reason to think that cyber criminals will stop there. Doxware would lend very well to mobile devices, where it could be set up to send photos, videos, and text messages to all of the user’s contacts.

The bright side is that since doxware isn’t yet at epidemic levels, organizations have a chance to get ahead of the game and take proactive cyber security measures before it becomes as common as ransomware. Methods to prevent a doxware attack are essentially the same as those used to fend off ransomware: training employees on how to spot phishing emails and other cyber security best practices, deploying antivirus packages that protect against ransomware strains, and maintaining regular system backups. Organizations should also air-gap intellectual property, employee tax data, and other highly sensitive information to make it more difficult for hackers to access, and encrypt the data so that it is useless even if they do manage to get at it.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.