‘Doxware’ adds malicious twist to ransomware threats
In Shut Up and Dance, a 2016 episode of the creepy Netflix series Black Mirror, an assortment of characters who are unknown to each other are thrown together in a macabre crime drama orchestrated by an unknown puppetmaster who threatens to reveal secrets about each person that have been captured via online surveillance.
The newest breed of malware is not too far removed from the same story line. Experts are calling it “doxware.” It’s a cross between the now-rampant malware variant called ransomware and doxing, which is the practice of intimidating people by threatening to publish embarrassing information about them online.
Doxware is still relatively rare in the wild – and so far it has been seen only on Windows computers – but some researchers are saying it’s evidence of a scary evolution of ransomware into more intrusive and damaging forms. Ransomware takes possession of a victim’s computer and encrypts the files, offering a decryption code only if a ransom is paid. Nearly 40 percent of organizations globally have been hit by a ransomware attack during the past 12 months, according to Osterman Research Inc. Ransomware was the fastest growing malware variant in 2016.
Many organizations have learned, however, that frequent backups can foil the most common forms of ransomware by minimizing data loss. That’s where doxware goes a step further.
Doxware harvests information from a victim’s computer and threatens to publish it to contacts in their address book or publicly on the web. By adding the threat of embarrassment or business disruption, attackers figure they have a better chance of hauling in loot.
The trend gained momentum after attackers locked up San Francisco’s Municipal Transportation Agency for two days in November, giving passengers free rides and embarrassing administrators. Another ancestor called Epic Ransomware, which was discovered last spring, threatens to send a person’s files to people in their contact list.
The technology is evolving quickly. The earliest doxware versions mainly harvested files at random, but more recent variants look for filenames that might point to things like job applications or pornography, according to Vocativ.
Dark Reading tells of one new variant that threatens to steal and publish a victim’s passwords, and another that gives victims the option of avoiding the ransom by instead infecting two friends. It’s not hard to imagine further variations.
Doxware isn’t without risks to the attacker. Publishing files on the open web requires access to servers or public file-sharing accounts which may be traceable. Attackers are likely to figure out workarounds for these vulnerabilities, however.
Photo via Flickr CC
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.