‘Doxware’ adds malicious twist to ransomware threats

Chess gambit

In Shut Up and Dance, a 2016 episode of the creepy Netflix series Black Mirror, an assortment of characters who are unknown to each other are thrown together in a macabre crime drama orchestrated by an unknown puppetmaster who threatens to reveal secrets about each person that have been captured via online surveillance.

The newest breed of malware is not too far removed from the same story line. Experts are calling it “doxware.” It’s a cross between the now-rampant malware variant called ransomware and doxing, which is the practice of intimidating people by threatening to publish embarrassing information about them online.

Doxware is still relatively rare in the wild – and so far it has been seen only on Windows computers – but some researchers are saying it’s evidence of a scary evolution of ransomware into more intrusive and damaging forms. Ransomware takes possession of a victim’s computer and encrypts the files, offering a decryption code only if a ransom is paid. Nearly 40 percent of organizations globally have been hit by a ransomware attack during the past 12 months, according to Osterman Research Inc. Ransomware was the fastest growing malware variant in 2016.

Many organizations have learned, however, that frequent backups can foil the most common forms of ransomware by minimizing data loss. That’s where doxware goes a step further.

Doxware harvests information from a victim’s computer and threatens to publish it to contacts in their address book or publicly on the web. By adding the threat of embarrassment or business disruption, attackers figure they have a better chance of hauling in loot.

The trend gained momentum after attackers locked up San Francisco’s Municipal Transportation Agency for two days in November, giving passengers free rides and embarrassing administrators. Another ancestor called Epic Ransomware, which was discovered last spring, threatens to send a person’s files to people in their contact list.

The technology is evolving quickly. The earliest doxware versions mainly harvested files at random, but more recent variants look for filenames that might point to things like job applications or pornography, according to Vocativ.

Dark Reading tells of one new variant that threatens to steal and publish a victim’s passwords, and another that gives victims the option of avoiding the ransom by instead infecting two friends. It’s not hard to imagine further variations.

Doxware isn’t without risks to the attacker. Publishing files on the open web requires access to servers or public file-sharing accounts which may be traceable. Attackers are likely to figure out workarounds for these vulnerabilities, however.

Keeping up-to-date file backups isn’t effective protection against doxware. One option is to encrypt all files and emails on a potential target machine, but that adds overhead and complexity. The best option is never to click on links in emails or social media unless absolutely sure that the source is legitimate. However, the first JavaScript ransomware emerged last year, making it possible for victims to become infected simply by opening a malicious web page.

Photo via Flickr CC