Doxware: A Ransomware Strain Coming Soon to a System Near You


Ransomware, which encrypts data on a victim’s machine and then demands payment of a ransom (usually in bitcoins) to decrypt the data, is running rampant in cyberspace. In fact, ransomware attacks increased more than 600 percent last year compared to 2015. Here’s another frightening statistic: There is a ransomware attack on a company every 40 seconds.

Unfortunately, those attacks are not spread out evenly. Globally, four industries take the brunt of ransomware attacks: business and professional services, government, healthcare, and retail. And the United States is the focus, with two-thirds of attacks occurring here.



Why is ransomware exploding? First of all, many companies are still failing to implement IT security best practices. These include keeping current on software updates and patches, maintaining adequate perimeter defenses, using strong authentication, educating employees, and regularly backing up data.

Second, victims of ransomware make the mistake of paying the ransom. This only encourages attackers to ramp up attacks. Worse still, many pay the ransom and still don’t get their data back.

The ransomware “industry” has become very lucrative, generating more than $1 billion for cybercriminals last year. The average ransomware attack yielded more than $1,000 last year, a 266 percent jump from 2015.Why Should IAM Be at the Core of Your Security Program? Download our EBook »

Evolution of Ransomware

New, more sophisticated ransomware variants continue to emerge from the bowels of cybercriminal networks. These variants are able to avoid detection and cause widespread disruption. The industry is and will remain in a perpetual state of catchup.

Here is a brief list of evolving ransomware variants:

  • Locker ransomware is able to deny access to an infected device, often a mobile phone. Early versions locked the device by bringing the ransomware window to the foreground in an infinite loop, while later variants gained administrator privileges of the device to set the device’s PIN lock.
  • Fake anti-virus attackers warn users that “malware” has infected their device, which can be removed by purchasing fake security software.
  • Crypto ransomware, the most common ransomware type, encrypts data on an infected machine and then demands a ransom for decrypting it.
  • Master Boot Record (MBR) overwriter, a recent ransomware variant, prevents the device’s operating system from booting by overwriting the MBR.
  • Data wiper ransomware renders all data on a hard drive unreadable. Then, the attackers demand a ransom—, not to decrypt data— but to recover wiped data.
  • Hybrid ransomware uses a number of different approaches to maximize profits. The hybrid variant may possess banking Trojan- and worm-spreading capabilities and can attack Internet of Things devices, as well as computers and mobile phones.

Doxware in Action

The newest ransomware variant, doxware, encrypts sensitive data and then steals it. In effect, doxware combines ransomware with a data breach.

The gangs behind these attacks have upped the ante by threatening to publish the sensitive data, such as intellectual property or compromising information, if the ransom is not paid.

Reputational damage from doxware can be significant, making payment of a ransom far likelier. If intellectual property is stolen and disclosed, the consequences for a company could be catastrophic.

To maximize their revenue, cybercriminals using doxware target companies and individuals who would suffer significant damage from release of sensitive information, such as companies that rely heavily on intellectual property or celebrities, politicians, and other public figures.

One of the first doxware attacks in the wild was the Chimera ransomware, which hit German companies in 2015. The malware encrypted files and asked for a ransom to return them, but also came with the warning that if victims did not pay up, “we will publish your personal data, including photos and videos, and your name on the internet.”

In another early doxware attack, known as Ransoc, the cybercriminals warned victims that they had files that violated intellectual property rights or contained child pornography. If the victims didn’t pay up, the cybercriminals threatened to report them to law enforcement.

The Malware Hunter Team has spotted a number of recent doxware variants in action. One particularly insidious variant, called Popcorn Time, gives the victim the choice of paying the ransom or infecting two “friends” with the malware.

Take Action Today

While the use of doxware is still not widespread, you should expect its use to increase, particularly if it continues to be profitable.

The best way to keep yourself and your sensitive information safe is to follow security best practices, which include robust identity management and strong authentication:

  • If possible, eliminate passwords. Put strong authentication on all accounts, even your local Windows account. Two-factor authentication adds an extra layer of security even if credentials are stolen.
  • If you must use passwords, make sure they are complex and unique for each account.
  • Implement least-privilege best practices.

For more on protecting yourself from ransomware, check out our action plan.

Remember that paying the ransom is no guarantee that the files will be decrypted or not shared online. You must be vigilant—or be ready to make it rain some bitcoins.



Subscribe Here!