Information Security

Defending the digital infrastructure

grandeduc - Fotolia

Doxware: New ransomware threat, or just extortionware rebranded?

The threat of ransomware continues to evolve, with a new spin on extortionware, called doxware, that's designed to target and potentially expose sensitive data of ransomware victims.

The easiest way to scare enterprises these days is to announce a new ransomware threat, but experts are unsure if doxware is a worrying new ransomware trend or a rebranding of extortionware.

On the surface, doxware and extortionware seem to be the same thing: malware variants that combine the data hostage threat of ransomware with the added threat of exposing the data publicly -- instead of keeping it encrypted indefinitely -- if the ransom isn't paid. So, in the eyes of many experts, the two terms can and have been used interchangeably.

"There does not appear to be a difference between this and what we have traditionally called extortionware," Casey Ellis, CEO of Bugcrowd, based in San Francisco, told SearchSecurity. "It appears that this simply has a way cooler name."

John Bambenek, threat systems manager at Fidelis Cybersecurity, based in Bethesda, Md., said there was value in better branding of security threats.

"Every few years, there seems to be a change in how we refer to threats," Bambenek told SearchSecurity. "Part of that is marketing, and part of that is the security community trying to raise awareness to threats that are getting better at being criminal."

However, Barry Shteiman, director of threat research for Exabeam, based in San Mateo, Calif., said a major difference with doxware is the traditional mitigation for ransomware of making backups is irrelevant.

"While in most ransomware attacks, a company [that] has good backup hygiene can restore data. In this case, early detection and mitigation is far more important, as restoring data from backup doesn't help if the attacker has gotten ahold of the actual data and is willing to use it," Shteiman told SearchSecurity. "It also means that [data loss prevention] comes into play, as well, understanding if there is any data being exfiltrated."

Jim Walter, senior researcher at Cylance Inc., based in Irvine, Calif., said extortionware and doxware aren't really different, but explained the confusion among experts.

"The only variation is the extra threat of specific data being released or leaked, etc. So, in that sense, it's a little more targeted (possibly)," Walter told SearchSecurity via email. "Beyond that, it is mechanically and fundamentally the same. There nothing novel going on code-wise."

The subtle difference of targeting is the key to the evolution of ransomware, according to Bambenek. "Traditional ransomware tends to be 'napalm the earth' spam runs that aren't specifically crafted to be attractive to a specific victim."

In contrast, doxware attacks will command higher ransoms, because, unlike extortionware, where all victims are threatened with data release, threat actors will either target individuals and enterprises with sensitive data or increase the ransom for victims if sensitive data is found.

"Doxware is a new approach to extortionware that may lead to broader infections. In the past, doxing was usually a targeted attack, which required attackers to research the target. The new doxware uses the ransomware model of mass-target phishing attacks, but in addition to encrypting data and extorting payment to get the key, the attackers now exfiltrate the data and look through it for possible doxing targets," Chris Burchett, vice president of client security software at Dell, told SearchSecurity. "They do this because people started to refuse to pay for ransomware after they got backup solutions in place. So, effectively, the bad guys are using mass-phishing attacks to 'farm' for doxing targets and ammunition."

Richard Henderson, global security strategist for Absolute Software Corp., based in Vancouver, B.C., said doxware may garner higher ransoms, but may not be as widespread a threat.

"Attackers will only be able to launch small campaigns of doxware, because they simply won't have the ability to store the millions of files they need to comb through looking for material; transferring the staggering number of files to the attacker may be detectable -- because if the attacker doesn't move the files off the infected machine, then the extortion threat is hollow," Henderson told SearchSecurity via email. "And perhaps most critically, we shouldn't see attacks like these at the scale we've seen with pure ransomware -- targets (and groups of targets) will be chosen very specifically to maximize ROI."

Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore., agreed doxware is an attempt by attackers to generate more revenue, but said "the amount of doxware or other extortion-based pieces of malware aren't increasing at a worrying rate."

"The amount of legwork required to carry out an extortion-based attack such as these requires initial research into the victim, determining the value of the stolen data, then follow-up actions required on what to do with data, depending on if the victim paid or not," Smith told SearchSecurity. "The typical ransomware malware requires little interaction from the attacker's perspective, meaning a higher return on investment for the criminal endeavors. Extortion-based attacks will probably not increase for the general public, but may be worrisome for high-value targets, which may be known to have valuable data."

Ellis warned "doxware is a far scarier prospect for business targets of ransomware."

"In a business context, typical exfiltration prevention measures will help make life harder for doxware, but data exfiltration is a traditionally difficult problem to solve," Ellis said. "The key here is a focus on prevention; finding these issues before the adversaries do."

Smith said better encryption and phishing defenses are also necessary to defend against doxware.

"Backups will still continue to restore confidence in not losing a life's worth of family photos, but will do little to those who don't want private photos or sensitive documents made available to anyone on the internet. Following guidelines to prevent a phishing attack are the best methods to continue to avoid an infection, such as not clicking links or opening attachments from strangers," Smith said. "Since it's impossible to prevent every piece of malware, it's advisable to prepare for an eventual infection, as well. To prevent being a victim of extortion, users should encrypt all of their files while at rest."

Article 3 of 6

Next Steps

Learn how to prevent ransomware or recover from a ransomware attack.

Find out why phishing awareness is a key element of a positive security posture.

Get info on why encrypting data in the cloud is no guarantee.

Dig Deeper on Threats and vulnerabilities