UPDATED 16:56 EST / JANUARY 04 2017


‘Doxware’ adds malicious twist to ransomware threats

In Shut Up and Dance, a 2016 episode of the creepy Netflix series Black Mirror, an assortment of characters who are unknown to each other are thrown together in a macabre crime drama orchestrated by an unknown puppetmaster who threatens to reveal secrets about each person that have been captured via online surveillance.

The newest breed of malware is not too far removed from the same story line. Experts are calling it “doxware.” It’s a cross between the now-rampant malware variant called ransomware and doxing, which is the practice of intimidating people by threatening to publish embarrassing information about them online.

Doxware is still relatively rare in the wild – and so far it has been seen only on Windows computers – but some researchers are saying it’s evidence of a scary evolution of ransomware into more intrusive and damaging forms. Ransomware takes possession of a victim’s computer and encrypts the files, offering a decryption code only if a ransom is paid. Nearly 40 percent of organizations globally have been hit by a ransomware attack during the past 12 months, according to Osterman Research Inc. Ransomware was the fastest growing malware variant in 2016.

Many organizations have learned, however, that frequent backups can foil the most common forms of ransomware by minimizing data loss. That’s where doxware goes a step further.

Doxware harvests information from a victim’s computer and threatens to publish it to contacts in their address book or publicly on the web. By adding the threat of embarrassment or business disruption, attackers figure they have a better chance of hauling in loot.

The trend gained momentum after attackers locked up San Francisco’s Municipal Transportation Agency for two days in November, giving passengers free rides and embarrassing administrators. Another ancestor called Epic Ransomware, which was discovered last spring, threatens to send a person’s files to people in their contact list.

The technology is evolving quickly. The earliest doxware versions mainly harvested files at random, but more recent variants look for filenames that might point to things like job applications or pornography, according to Vocativ.

Dark Reading tells of one new variant that threatens to steal and publish a victim’s passwords, and another that gives victims the option of avoiding the ransom by instead infecting two friends. It’s not hard to imagine further variations.

Doxware isn’t without risks to the attacker. Publishing files on the open web requires access to servers or public file-sharing accounts which may be traceable. Attackers are likely to figure out workarounds for these vulnerabilities, however.

Keeping up-to-date file backups isn’t effective protection against doxware. One option is to encrypt all files and emails on a potential target machine, but that adds overhead and complexity. The best option is never to click on links in emails or social media unless absolutely sure that the source is legitimate. However, the first JavaScript ransomware emerged last year, making it possible for victims to become infected simply by opening a malicious web page.

Photo via Flickr CC

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.