Ready for Doxware?

News and information from the Advent IM team.

A guest post from Del Brazil –  Advent IM Security Consultant

Image result for pirate flagDoxware is a more vicious version of Ransomware in that not only does the hacker holds the user to ransom having encrypted their files but also threatens to release sensitive information, photos and/or conversations into the public domain until such time a ransom is paid.

Its origin has never been fully documented but one of the first Doxware variants to appear was “Ransoc.” This malware, once installed, informed the victim their computer allegedly contains child sexual abuse materials and software/material that violates intellectual property rights. The malware then informs the victim that they will, unless they pay a ransom go to prison.

Any Doxware attack requires detailed planning to target specific individual’s within organisations who maybe prominent figures within organisations such as corporate leaders, politicians, celebrities and other persons of influence.

Currently attacks have been directed towards Windows users; however that doesn’t mean that everyone should rush out and change to alternative operating systems. Doxware is likely to morph into a more generic piece of ransomware which can be used on multiple platforms as it self-replicates around systems.

Now that we’ve scared even the most security savvy of you let’s look at the basics to defeating/deterring any Doxware/Ransomware attack. In the first instance as with any defence it’s all about education and making the user community aware that such attack actually exists and that they maybe subjected to an attack either at work or at home. Generally speaking a Doxware attack is directed towards a known person who may have access to sensitive information or key business information, this maybe in the form of a Spear Phishing email campaign where users are encouraged and/or tricked into clicking/following links to scrupulous websites that may install the Doxware/Ransomware payload.

As with all things internet based it is imperative that any Anti-virus, Anti-Spyware and/or Anti-malware software is kept fully up to date with regular scans being carried out in an attempt to identify, delete or quarantine any suspicious file, document or code etc. Obviously no Anti-virus or similar product can protect a system from a Zero day attack but at the very least you are protected against known viruses.

Another and maybe more pragmatic solution is to store any sensitive and/or key data somewhere else than on a local hard drive; however Doxware and/or Ransomware can still attack servers stacks within data centres if the correct person initiates an attack. As with all industry best practices Doxware and/or Ransomware shouldn’t be too much of an issue but more of an inconvenience if sufficient back up and restoration procedures are in place. This would potentially only require the victim to replace the infected/encrypted hard drives and restore from the latest back up; however consideration needs to be given to this albeit relatively simple process as the amount of time taken to recover from an attack as this may impact on business services and/or other interested parties.

Again we fall back on the weakest point within a system, the user as no matter how much training and education you provide there is always an individual who will inadvertently or deliberately, out of curiosity, click that ‘unknown email’ and facilitate an attack of some description.

Is it more appropriate to rebrand Doxware as Extortion-ware as in simple terms that is exactly what it does; although appropriate the term doesn’t have the same kind of kudos that Doxware does. It is rapidly becoming the replacement for Ransomware and is likely to become the most feared attack throughout 2017.

Share this Post

%d bloggers like this: