What is Doxware?

As if ransomware wasn’t a big enough headache as it is, there’s a new twist in this malicious web – doxware. And with our electronic devices containing more personal information than ever, it’s becoming more of a threat.

Ransomware is piece of malicious software that infects systems and blocks access to the data by encrypting it, and renders the data unreadable unless a decryption key is acquired, more often than not coming with a massive price tag. If you don’t have a backup that’s fully up to date, you either have to pay the ransom or forfeit your data, with neither scenario appealing. Ransomware works by breaching systems, often through infected links in emails, but sometimes fake links to software on dodgy websites. Because many companies now have up to date backups of their data, they will simply wipe their system clean so there’s no trace of the ransomware, and then restore their data from a recent backup. But the increased vigilance by businesses has given rise to a new form of ransomware – doxware.

Because of increased ransom avoidance, cybercriminals are no attempting to make money out of peoples’ data in new ways. Doxware is essentially a type of malware that combines a ransomware attack with a personal data leak, meaning even if the data can be obtained via a backup, personal files are still in the perpetrator’s hands. Due to the threat of release, it’s harder for the victim to avoid paying the ransom, and offers a new way for cybercriminals to make money in an increasingly wary digital age.

While doxware and ransomware do share some similarities, they are fundamentally different. Both types of malware encrypt the victim’s files, and both demand a ransom to decrypt them. But in a ransomware attack, the files are not typically removed from the target, just encrypted. On the other hand, doxware requires the hackers to have access to the files so the threat is in any way meaningful. Doxware requires strategic planning, which means the targets are often chosen more carefully, rather than randomly, which is how ransomware normally operates. Uploading every file is time-consuming, so hackers will often target files with keywords like “confidential”, “sensitive”, or “private”. As such, doxware attacks typically involve small amounts of data, due to the limitations of most cybercriminals, who don’t have the resources to store terabytes of data.

Cybercriminals want to maximise their profit on doxware scams, which means they tend to target businesses and organisations they know will be likely to both have private information, and also to pay up. In 2014, Sony Pictures was hit with a high profile doxware scandal, which saw the release of private email chains between staff, discussing details on future movies and actors’ salaries. Looking at what happened to Sony, it’s easy to see how crippling a doxware attack could be. And it isn’t just businesses either. While most doxware is targeted, smaller scale cybercriminals might target randomly, which means an unsuspecting home user could find their private documents in the hands of a doxware attacker. This latest malware threat highlights the need for adequate protection against these scams.