Doxware: Ransomware evolution or merely media hype?
The world of ransomware continues to evolve, finding clever new ways to extort victims for higher sums of money. Case in point? Doxware. This spin on ransomware not only holds your personal information for ransom but also threatens to publish identifiable details online. Imagine if someone made your name, address and private chat conversations public if you refused to pay a ransom. Scary right?
In this blog post we will explore doxing, and how ransomware criminals are turning to this morally dubious practice to extort higher ransoms. Netflix and Larson Studios are learning about doxing the hard way. Don’t be the next victim. Stick around and stay ahead of malware criminals.
But before we dive into the ins and outs of doxware, let’s start at the beginning…
What is doxing?
Doxing or doxxing derives from the word “docs” (documents). It refers to the act of exposing someone publicly by means of posting private conversations and identifiable details such as phone numbers or a physical address online. It is commonly associated with internet harassment and usually conducted with malicious intent.
Sideways Dictionary offers a fitting analogy:
“It’s like vigilantism – a way for people to take the law into their own hands to ‘out’ someone. But, like vigilantism, it can have unintended consequences if the wrong person is outed or the effects go too far.”
The most famous example was the Satoshi Nakamoto case whereby Newsweek attempted to out the identity of the supposed creator of Bitcoin.
More recently, a fellow malware analyst that found the killswitch for the WannaCry ransomware attack found himself under pressure from media and accused UK tabloids of doxing his friends to find out his identity and personal information.
Crypto-anarchic hacking group Anonymous are even guilty of the deed. However they got it seriously wrong when they doxed and outed a US police officer as the shooter of young Michael Brown in Ferguson. In this case, the careless exposure of a private life served no purpose whatsoever. The wrongly accused officer was attacked, hospitalised and publicly shamed without cause.
Which begs the question:
Is doxing ethical?
When we consider the effects of revealing an anonymous individual’s identity online, we are quickly moving into some murky ethical and legal territory.
Was Newsweek’s article outing Satoshi Nakamoto good journalism? By his own admission, Ben Wiseman, the journalist in question, obtained the email address of Mr Nakamoto through a model train supplier and spent two weeks befriending the man before even mentioning the word ‘Bitcoin’. It also turned out that it is likely he had the wrong person.
More than just a privacy issue, the tactics employed to gain access to privileged information sound suspiciously like those of phishing scams: An individual targeted by someone who obtained their email address without their permission and attempted to establish a relationship to gain something. Sound familiar?
For journalists, these practices seem to be seen in a positive light. At journalism’s core, there is the belief that by making previously unknown information public they are fulfilling the role of truth-telling.
Yet there are arguments that the methods we would describe as doxing are not about privacy at all, but about abuse and power:
“The issue isn’t whether information is private. It’s whether it’s meant to cause harm, or could reasonably be expected to cause someone harm.”
As ambiguous as the legal and ethical ramifications of doxing are, distinguishing doxware from typical ransomware is equally difficult because despite so many online articles talking about it, there is no widely publicised doxware out there.
What is doxware? Is it even a thing?
Doxware, sometimes referred to as extortionware, is a software that exploits vulnerabilities in a victim’s computer system to gain access to sensitive information and threaten to make it public if demands are not met. It combines the words ‘doxing’ and ‘ransomware’, as it uses extortion akin to doxing and combines it with infection methods commonly seen by ransomware.
In effect, doxware is the use of malicious software to publicly out a person or company with the release of sensitive, identifying information, the consequences of which can be unknown.
How can a doxing attack affect you personally?
Imagine a hacker took photos of your children from your computer and private emails that could include correspondence between yourself and their school. Now the hacker has photos of your children and the known whereabouts of where they spend 8 hours a day. Would you want this published online for any creep to find?
Of course not.
Yet due to the nature of doxware, which we will outline in more detail later in the article, the main targets of doxware are enterprises, rather than individuals.
Doxing in action: Larson Studios, Netflix and The Dark Overlord
It started with the leak of the first episode of ‘Orange is the New Black’ Season 5 which was not due to be released until June 2017. The Dark Overlord, a notorious cybercrime group had stolen a lot of intellectual property by exploiting a vulnerability in the security of Larson Studios, an audio production company used by many major TV and film studios.
The Dark Overlord would not reveal their attack method nor how much the ransom demand was, but DataBreaches.net was able to obtain a copy of a contract reportedly signed by both The Dark Overlord and a representative of Larson Studios.
The contract, signed December 27, indicated that the studio would pay The Dark Overlord 50 bitcoins ($67k) by January 31. The Dark Overlord reportedly signed the contract as ‘Adolf Hitler.’ DataBreaches.net claims that “the signature of the company representative was indecipherable.”
The Dark Overlord later claimed that it was the signature the CFO Larson Studios
When Larson Studios failed to pay, The Dark Overlord turned to Netflix directly for the ransom.
Netflix responded cooly:
“We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.”
When they failed to receive payment for the second time, The Dark Overlord released the remainder of season 5 of ‘Orange is the New Black’.
The PasteBin link in the above tweet leads readers to the following message which also included the torrent link to download episodes 2-10.
Whether Netflix will bow to pressure and pay The Dark Overlord remains to be seen.
Naturally, as the series are released on their own over time, the value of the stolen data decreases to nothing. Perhaps this negates the need for Netflix to appease the hacker group at all.
However, with 36 more titles under threat including ‘New Girl’, ‘Portlandia’ and the new Vin Diesel movie ‘XXX: Return of Xander Cage’, there are still opportunities for other studios to be extorted.
There has been much online support for The Dark Overlord, who are seeking a share of Netflix’s $8.8 billion reported earnings for 2016. However, before getting excited about the prospect of free TV for all, think before you idolise these criminals.
Before they went after the major studios, The Dark Overlord targeted hospitals. In fact, they are responsible for the theft of thousands of private patients medical files from various hospitals throughout the end of 2016. These files were also held for ransom.
These are not acts of crypto-anarchism or political protest. These are acts of pure greed and should not be glorified regardless of their target.
The hacking group continues to threaten Netflix and the other studios, saying,
You’re going to lose a lot more money in all of this than what our modest offer was. We’re quite ashamed to breathe the same air as you. We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. And to the others: there’s still time to save yourselves. Our offer(s) are still on the table – for now.
Evidently, the public harassment and extortion aspects are key to a doxing attempt, whether the information is obtained via phishing or the execution of specific software.
Screenshot from stolen ‘XXX: Return of Xander Cage.’ Redacted by TDO.
Stages of a doxware attack
A doxware attack starts off in the same way as ransomware: cybercriminals gain access to a computer, take it hostage and seek a ransom for the safe return of the targeted documents. However, in this case, the cybercriminal also threatens to make public any archives, confidential information, and conversations saved on the device. Out of fear of having their private data put out there for all the world to see, victims will most likely pay the ransom.
Why are businesses are the ultimate target? There are two main reasons:
- The chance of receiving a higher ransom improves when a company with potentially sensitive information is attacked.
- The way in which a business is attacked and the access that is gained by cybercriminals.
A typical ransomware attack utilises phishing spam email to inject itself into a system but rarely gives the developer full access to it. However, business servers are attacked by an infection method known as RDP attack which allows hackers unlimited access to a business network and all the information contained within it.
Remote Desktop Protocol (RDP) attacks, or ‘really dumb password’ attacks, occur when companies leave RDP client ports open to the Internet, and, knowing this, attackers scan blocks of IP addresses for open RDP ports.
Because RDP attack gives a hacker direct access to the server and all that it contains, all ransomware spread by RDP has the potential to become doxware.
MedStar Health, a regional healthcare network in the US suffered a major attack via this method. It affected 10 hospitals and more than 250 outpatient centers in March 2016. Cyber criminals demanded 45 bitcoins (~USD$19,000) to unlock the company files. Though this specific attack wasn’t a doxware attack, it had the potential to expose privileged information if MedStar didn’t pay.
While RDP is a popular attack vector for business access, but that doesn’t mean the old phishing email tactic doesn’t still work for large corporations. The 2014 Sony hack is the perfect example, whereby an email phishing campaign took hold of private conversations between directors, actors and staff and made them public. Whole films were even leaked online.
By now you may be wondering, ‘if it acts like ransomware and sounds like ransomware, what is the actual difference between doxware and ransomware’? Are these examples even doxware? Because the line between doxware and ransomware is a fine and even blurry one, it’s very easy to confuse the two.
It is true that both attacks access computers via the same methods. They even spread throughout the infected system the same way. But there are key characteristics that distinguish them.
Doxware v ransomware: what’s the difference?
Ultimately, there are 5 key differences between ransomware and doxware:
- Exposure v encryption. While ransomware threatens victims through encryption of data, rendering it useless until a ransom is paid, doxware threatens to make public sensitive information that is has created copies of. You may still have full access to all of your files following a doxware attack, so decrypting or restoring from a backup does not solve the threat of exposure.
- Targeted v scattered infection. Though both use spam emails to spread, doxware needs to gather specific sensitive information about its targets to make the exposure threat credible. Ransomware campaigns on the other hand target more broadly, such as specific countries. This extra work required by doxware attackers is often mitigated by asking for a higher ransom.
- Considered attacks yield better targets. Doxware can use the sensitive information it has gathered, such as the details of all of your contacts, to target and infect new people.
- Fewer files, but a bigger impact. While ransomware tends to encrypt all or most files once it has taken over a victim’s system, doxware typically targets a smaller number of files. This is because it is unlikely the hacker has enough space to store thousands of your files and the movement of large numbers of files can be detected more easily.
- More work = more ransom. Because of the risk of public embarrassment or damage to a company’s reputation, doxware attackers tend to demandhigher ransom compared with typical ransomware developers.Higher ransom is also requested to compensate for the added work required in such a highly-targeted approach.
To summarize, in a ransomware attack the malware encrypts your data and demands payment to return the files. In the case of doxware, your files and private information are copied and held at the threat of public disclosure.
Ransomware = takes information
Doxware (extortionware) = releases information
Luckily, since the infection methods of both attacks are the same, doxware can be prevented in much the same way as ransomware.
How to protect against a doxware attack
While doxware is still an emerging threat, it behaves similarly to a ransomware infection. There are some simple steps you can take to prevent it affecting your life:
- Learn about common phishing scams and how to prevent them because as you now know, doxware is most likely to enter your system via typical ransomware infection methods such as scam emails.
- Spring clean your computer regularly with these 5 steps to prevent doxware from ever entering your system.
- Run a respected anti-malware suite and keep it updated to prevent zero day threats such as newly released doxware and ransomware strains.
Prevention is the best cure against all kinds malware: follow the above advice today to start preparing yourself and your system for the threats of tomorrow.
Is doxware a real threat? Share your thoughts in the comments!
Have a great (malware-free) day!
- Are all hackers criminals?
- Don’t spread the love: Valentine’s Day scams to…
- Emsisoft customer stories: When Harry met Ransomware
- WannaCry Ransomware: Interview with Emsisoft’s…
- Beware! That Windows 10 update message could be ransomware…