‘Doxware’ Blackmails You With Your Own Private Files

The next phase of the ransomware scourge might be extorting you for your privacy.

By Kevin Collier

It’s bad enough when a hacker locks your files, demanding a ransom if you ever want to access them again. But a few innovative criminals are taking it a step farther: promising to share your private files with the world if you don’t pay up.

Researchers have dubbed it “doxware.” The term is a combination of ransomware, the suddenly ubiquitous malicious type of program that holds your computer files hostage until you pay up, and “doxing,” the age-old hacker practice of unnerving an opponent by publishing their name, address, family members, or any other kind of personal information online.

Doxware isn’t nearly as widespread as ransomware — researchers discover several new variants of the latter each week. “So far [Doxware] has only hit Windows,” Nathan Scott, Senior Security analyst at cybersecurity firm Malwarebytes, told Vocativ. “But as we all know, it won’t stay that way forever.”

You can think of most doxware as traditional ransomware, with the ugly twist of doxing added on at the end. Victims are greeted with a typical ransomware screen, which alerts users that their computer files have been encrypted and gives a ticking clock for paying the ransom. But in one variant, it tells the user it’s uploaded all their login information, contacts, and Skype history onto a server, and promises to send that information to each of the victim’s contacts if they don’t pay up.

(Nathan Scott/Malwarebytes)

An earlier version uploaded large chunks of user data on a server, Scott said. “They used to try to send up as many files as they could, but I think they realized that storage-wise, that’s silly, because they’ll never be able to hold that many files.”

More recent variants run a script to look for filenames with words that indicate sometime private or embarrassing, like “resume” or “nude.”

“Almost all of it’s automated,” Scott said. In some cases, personal information is posted to pastebin, or a similar site where users can anonymously post plaintext information, with the threat that it can be sent it to victims’ Facebook, LinkedIn, and Twitter contacts, he said.

Malwarebytes has seen five different variants in recent months, Scott said. Other cybersecurity firms have seen them sporadically, too. “We have only seen one such message in one ransomware family […] that promises to publish your private data to public sources,” Anton Ivanov, senior malware analyst at Kaspersky Labs, said in an email. While that version is based on a variant of ransomware that some programs can now remove, it’s easy to get infected. “The initial vector of such malware is the same as typical ransomware or other malware, so every unprotected workstation is in danger,” he said.

Researchers have given a pretty simple explanation for the recent rapid rise of ransomware: It’s extremely effective and profitable. For anyone who does get it, there’s little recourse unless they’re hit with a version that a cybersecurity company has already created a remedy program for. There are no known arrests of someone deploying ransomware against an American network or system. In plenty of high-profile cases, like hospitals, universities, and police departments, victims simply have no options and eventually give up and pay the money.

As always, a few precautionary measures make it easy to avoid: Some companies, including both Malwarebytes and Kaspersky, offer antivirus programs created precisely to stop ransomware from being deployed. Traditional, preventative methods of fighting the efforts of hackers — not falling for sketchy emails, and regularly backing up your computer in case you do get infected — works just as well.

This story originally appeared on Vocativ on September 30th, 2016.

Follow us on Facebook, Twitter, and Instagram.