A+ A A-

Doxware: Ransomware evolution or merely media hype?

The world of ransomware continues to evolve, finding clever new ways to extort victims for higher sums of money. Case in point? Doxware. This spin on ransomware not only holds your personal information for ransom but also threatens to publish identifiable details online. Imagine if someone made your name, address and private chat conversations public if you refused to pay a ransom. Scary right?

In this blog post we will explore doxing, and how ransomware criminals are turning to this morally dubious practice to extort higher ransoms. Netflix and Larson Studios are learning about doxing the hard way. Don’t be the next victim. Stick around and stay ahead of malware criminals.

But before we dive into the ins and outs of doxware, let’s start at the beginning…

What is doxing?

Doxing or doxxing derives from the word “docs” (documents). It refers to the act of exposing someone publicly by means of posting private conversations and identifiable details such as phone numbers or a physical address online. It is commonly associated with internet harassment and usually conducted with malicious intent.

Sideways Dictionary offers a fitting analogy:

    “It’s like vigilantism – a way for people to take the law into their own hands to ‘out’ someone. But, like vigilantism, it can have unintended consequences if the wrong person is outed or the effects go too far.”

The most famous example was the Satoshi Nakamoto case whereby Newsweek attempted to out the identity of the supposed creator of Bitcoin.

More recently, a fellow malware analyst that found the killswitch for the WannaCry ransomware attack found himself under pressure from media and accused UK tabloids of doxing his friends to find out his identity and personal information.

Crypto-anarchic hacking group Anonymous are even guilty of the deed. However they got it seriously wrong when they doxed and outed a US police officer as the shooter of young Michael Brown in Ferguson. In this case, the careless exposure of a private life served no purpose whatsoever. The wrongly accused officer was attacked, hospitalised and publicly shamed without cause.

Which begs the question:

Is doxing ethical?

When we consider the effects of revealing an anonymous individual’s identity online, we are quickly moving into some murky ethical and legal territory.

Was Newsweek’s article outing Satoshi Nakamoto good journalism? By his own admission, Ben Wiseman, the journalist in question, obtained the email address of Mr Nakamoto through a model train supplier and spent two weeks befriending the man before even mentioning the word ‘Bitcoin’. It also turned out that it is likely he had the wrong person.

More than just a privacy issue, the tactics employed to gain access to privileged information sound suspiciously like those of phishing scams: An individual targeted by someone who obtained their email address without their permission and attempted to establish a relationship to gain something. Sound familiar?

For journalists, these practices seem to be seen in a positive light. At journalism’s core, there is the belief that by making previously unknown information public they are fulfilling the role of truth-telling.

Yet there are arguments that the methods we would describe as doxing are not about privacy at all, but about abuse and power:

“The issue isn’t whether information is private. It’s whether it’s meant to cause harm, or could reasonably be expected to cause someone harm.”

As ambiguous as the legal and ethical ramifications of doxing are, distinguishing doxware from typical ransomware is equally difficult because despite so many online articles talking about it, there is no widely publicised doxware out there.

What is doxware? Is it even a thing?

Doxware, sometimes referred to as extortionware, is a software that exploits vulnerabilities in a victim’s computer system to gain access to sensitive information and threaten to make it public if demands are not met. It combines the words ‘doxing’ and ‘ransomware’, as it uses extortion akin to doxing and combines it with infection methods commonly seen by ransomware.

In effect, doxware is the use of malicious software to publicly out a person or company with the release of sensitive, identifying information, the consequences of which can be unknown.

How can a doxing attack affect you personally?

Imagine a hacker took photos of your children from your computer and private emails that could include correspondence between yourself and their school. Now the hacker has photos of your children and the known whereabouts of where they spend 8 hours a day. Would you want this published online for any creep to find?

Of course not.

Yet due to the nature of doxware, which we will outline in more detail later in the article, the main targets of doxware are enterprises, rather than individuals.

Doxing in action: Larson Studios, Netflix and The Dark Overlord

It started with the leak of the first episode of ‘Orange is the New Black’ Season 5 which was not due to be released until June 2017. The Dark Overlord, a notorious cybercrime group had stolen a lot of intellectual property by exploiting a vulnerability in the security of Larson Studios, an audio production company used by many major TV and film studios.

The Dark Overlord would not reveal their attack method nor how much the ransom demand was, but was able to obtain a copy of a contract reportedly signed by both The Dark Overlord and a representative of Larson Studios.

The contract, signed December 27, indicated that the studio would pay The Dark Overlord 50 bitcoins ($67k) by January 31. The Dark Overlord reportedly signed the contract as ‘Adolf Hitler.’ claims that “the signature of the company representative was indecipherable.”

The Dark Overlord later claimed that it was the signature the CFO Larson Studios

When Larson Studios failed to pay, The Dark Overlord turned to Netflix directly for the ransom.

Netflix responded cooly: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.”

[ Full text