February 28, 2017
Like ransomware, doxware encrypts files, but also involves purloining copies
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
As if ransomware wasn’t bad enough, there is a new twist called doxware. The term "doxware" is a combination of doxing — posting hacked personal information online — and ransomware. Attackers notify victims that their sensitive, confidential or personal files will be released online. If contact lists are also stolen, the perpetrators may threaten to release information to the lists or send them links to the online content.
Doxware and ransomware share some similarities. They both encrypt the victim's files, both include a demand for payment, and both attacks are highly automated. However, in a ransomware attack, files do not have to be removed from the target; encrypting the files is sufficient. A doxware attack is meaningless unless the files are uploaded to the attacker's system. Uploading all of the victim's files is unwieldy, so doxware attacks tend to be more focused, prioritizing files that include trigger words such as confidential, privileged communication, sensitive or private.
Although doxware attacks are likely to increase, this type of extortionware has its shortcomings:
- Doxware attacks tend to involve relatively small amounts of data. Most attackers do not have the resources to store millions of files, and the act of uploading a massive volume of files increases the risk of detection.
- Criminals want to maximize their return on investment, and doxware attacks are more costly to implement. For a doxware attack to be financially rewarding, attackers must research potential victims to determine whether the stolen data will have sufficient value. They must also have a plan for publishing the data if the victim chooses not to pay.
- Criminals potentially face increased risks for doxware attacks. Attackers need the infrastructure to host the stolen files and to release them online. This infrastructure could make tracing them easier.
Shortcomings aside, security analysts agree that doxware attacks are likely to increase over the next two years. So far the attacks have targeted businesses and high-profile individuals rather than the general public. However, that could change if attackers find ways to target smartphones or IoT devices.
One of the earliest doxware attacks, Ransoc, informed victims that files violating intellectual property rights or files containing child pornography were present on their computers; unless the victim remitted a payment, the authorities would be notified and the victim would be incarcerated. With access to more devices, attackers could refine doxware attacks that make it cost-effective to target individuals on a massive scale.
Protecting against doxware attacks
Businesses that suffer a doxware attack often feel there is no alternative but to pay the ransom. However, even making the payment does not always end the attack. If the attackers find information that is particularly valuable or embarrassing, additional demands may be made. Furthermore, there is no guarantee the criminals will not publish the files even after a company meets all of the payment demands.
The purloined data remains an ongoing threat; victims cannot confirm that stolen files have been erased. Therefore, the best method of dealing with a attack is to prevent it. The following tips can help protect against doxware attacks:
- Most doxware attacks begin with a phishing attack. Educate users on how to deal with phishing attempts, such as not opening email attachments from unknown sources and not clicking on links contained in emails.
- Do not store sensitive data on a hard drive; if that is impossible, try to spread the data over multiple servers.
- Encrypt files while they are at rest, and make sure that sensitive files are always encrypted.
- Keep anti-malware software updated; new threats are constantly emerging.
- Educate users on malvertising and the types of sites that are common sources of malware-infected ads. These include adult websites, Facebook, Skype and "pirate" sites hosting illegal copies of movies and television shows.
Although an offsite backup will not prevent a doxware attack, it is still important to have. Should the attacker provide the decryption key after the ransom has been paid; there is no guarantee that the decrypted files will not be irretrievably corrupted.
Doxware attacks are far less common than traditional ransomware attacks, but as any security professional knows, when criminals have the opportunity to make an easy profit, they will take advantage of the opportunity. As Mr. Robot once said, "We're at war." Doxware is simply another insidious weapon in a cybercriminal's arsenal.
If you are concerned about advanced malware attacks, consider building an incident response plan and automating security operations. Automation and collaboration can help reduce adhoc activities and streamline operations during crisis. In addition, using automation can help reduce the MTTR and reduce exposure time.