Doxware & Ransomware: Perfect blend of advanced Extortionware
Himanshu Vohra, Co-Founder, AVP Cybersecurity
Ransomware name shapes a horrible and disgusting feeling to anyone tasted the bad luck of being a victim to one of those ransomware attacks, or anyone who ever heard about its horrible impact on its victims, nowadays we became more conscious to know more about this type of malware. As the threat of ransomware continues to evolve, a new spin in the legacy of extortion ware has arisen with another face of multiple facet Hydra, i.e Doxware, which is designed to expose the data and other sensitive leaked credentials in post Ransomware attacks.
Both Ransomware and Doxware are highly automated and targeted but when we consider Doxware, it is more evolved as it brings a major threat to data than ever before. When we talk about ransomware, more than 80% of chances are that the data is stored in a system hidden behind a virtual encrypted wall. However, in Doxware, the data will be made public via links and dumps, creating a sense of fear among the entities present in the cyber arena.
Ransomware has two main methods of affecting the victims, either it locks your infected device so you can’t use it again in this case we call it locker ransomware or encrypts your most sensitive data so that you can’t see them again crypto-ransomware. Without getting the decryption keys from the attacker who won’t give them back to you unless you pay the demanded ransom, you won’t be able to get back your encrypted data or your locked device.
Ransomware can be delivered to the victim’s machine through a couple of techniques, some of those techniques:
- The attacker tricks the victim to download malicious attachments by sending a legitimate-looking email. Phishing attack.
- Attackers can exploit the remote access protocol (RDP) in case the port of the target machine for this protocol is open (3389), allowing them to have the ability to download and install any file on the target machine.
- Ransomware can be delivered simply by injecting a malicious USB or removal media into the targeted device.
Whereas in Doxware, it involves a process called Doxing — i.e gathering information about the target, getting access to the target’s data, and making it public. In contrast, Doxware uses the Ransomware method of mass-scale phishing techniques. Moreover, it exfiltrates the data and explores it to find further potential doxing targets. As with ransomware, hackers encrypts the target’s data and demand payment to renounce the key and thereby refrains from leaking sensitive disclosures and data.
When we come to the stage of getting rid of the ransomware from the infected device, we face some issues regarding the ransomware characteristics, where some of them are hard to remove others need a simple step to get rid of the ransomware like having a decryptor specific to the ransomware we have.
As we see it’s important to know what ransomware we are facing in terms of how strong is this ransomware which affected the device, and what are the means to defeat it.
Based on some recent research in the field of ransomware we can classify ransomware attack by measuring the strength of its encryption methods it applies to accomplish its desired goal on the victim’s machine.
How can we classify ransomware?
According to a paper published on IEEE under the title “A Key-Management-Based Taxonomy for Ransomware,” we can classify ransomware strength based on how it encrypts the data, generate, protect and manage its encryption keys.
The following classification has six categories for ransomware based on the study the researchers had done over 25 ransomware families.
C1 ransomware is considered to be the weakest type. When the ransomware just pops up the extortion ransom message to the victim without actually encrypting the data we call it here (scareware). Or, sometimes the ransomware displays the message before starting it’s dirty encryption, allowing the victims or their anti-virus defenses to take the required actions to stop the encryption process once they see the ransom message.
- The ransomware decryption keys shipped along with the ransomware code, so it’s easy to find out that key by doing reverse engineering for that ransomware.
- Ransomware uses the same keys with all its victims, letting them to share the keys and decrypt their data.
- In some cases the ransomware implements the encryption algorithms in a very poor manner, making it easy to exploit it and restore the keys.
- The last case in this category is considered to be the easiest way to get rid of the extortion, once we have a backup of the infected data.
- In some cases, the ransomware fails to delete its keys from the victim’s machine, with some searching efforts by the victim in the filesystem the keys can be found.
- Some ransomware doesn’t start their encryption process until they receive the encryption keys from the attacker server, by simply cutting off the internet connection, the malicious encryption by ransomware can be stopped.
- Decryption tools can be found for some ransomware, by that it’s easy to retrieve the data.
- The solution to stop the attack sometimes rely on outside the range of the attacker, we call this a Kill Switch. That is what happened with WannaCry ransomware.
- Compromising the C&C (Command and Control) server, or simply analyzing the network traffic between the infected machine and the C&C server, can help in retrieving the ransomware keys.
- Some ransomware developers tend to make their own encryption algorithms, making the mission of breaking the ransomware process easy to implement by cryptanalysts.
- Few cases of ransomware where to retrieve their keys we need a special environment. An example for that is WannaCry ransomware where retrieving its keys only happens with Windows XP.
- Some types of ransomware don’t encrypt all the files on the victim’s machine, those files are the most wanted files for the lucky victim.
The most dangerous type of ransomware belongs to this category, where the ransomware got implemented in a perfect way, and yet there has been no way to exploit its encryption implementation yet.
Impact of Ransomware in India and the rest of the world
Ransomware is not only about weaponizing encryption, it’s more about bridging the fractures in the mind with a weaponized message that demands a response from the victim. As per the recent study of ransomware and its effect on India, the report highlighted that Indian firms paid over 1.5 Million USD or approx 9 Crores ransom on average to mitigate the threat of ransomware. More than 82% of Indian firms have been targeted by ransomware last year, which is a 15% increase from 2017. Interestingly, Delhi NCR is top on the list followed by business hubs like Bengaluru, Kolkata, Mumbai, Chennai, and Hyderabad as per the “State of ransomware 2020” global survey by cybersecurity firm Sophos.
Fighting Ransomware and Doxware can be daunting sometimes, and the more we know about our enemy the more we can fight and protect, and the process of this war can have multiple weapons to fight with. One of the ways is classifying ransomware into categories which helps to know how much ransomware is virulent, and how much effort could be given to stop the extortion of paying the ransomware. Protecting from ransomware would act as the first step firewall against the attack of Doxware.
With Cybervention we aim to have a more comprehensive understanding of ransomware so we can put our efforts to have a role in fighting those types of attacks.
Author: Marah Aboud, Security Analyst