There is always a need to define the terms you use, before assuming everyone else will understand what you are saying. In this case, we want everyone to be on the same page, so to speak, during any discussion of Doxware. If this is the first article you are reading about the subject, you may not be familiar with any of the terms. So I will start with the most basic, ransomware.
Ransomware is any software that attempts to hold your files for ransom, hence the term ransomware. Definitions for the term ransomware vary. Google defines ransomware as "a type of malicious software designed to block access to a computer system until a sum of money is paid." Wikipedia defines it as "a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file; thus, ransomware is an access-denial type of attack that prevents legitimate users from accessing files." Techtarget defines it as " malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. " And the PCTools website defines it as "a category of malware that demands some form of compensation, a ransom, in return for data or functionality held hostage." It must be noted that crypto-ransomware is a subset of the ransomware category. When I refer to ransomware I am, for the most part, referring to crypto-ransomware, which - according to Symantec's ISTR report on Ransomware and Businesses 2016 - is currently the largest portion of the ransomware family (see chart below from the report).
Most ransomware uses some form of encryption to make it impossible for the infected user to access his/her files. Since encryption is so integral to ransomware, lets try to give a basic definition of that as well. Once again, let's start with google's definition, "To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ;encrypted data is referred to as cipher text." Wkipedia defines encryption as, "the process of encoding messages or information in such a way that only authorized parties can read [them]." The best explanation of 256 bit AES encryption is located here. I summed it up previously with this paragraph: Even if you had machines that could decode at gigaflop (a billion Floating point Operations Per Second – FLOPS) rates, and were able to hook a billion of these computers together, since AES 256 bit encryption has 2256 different possible combinations. It would take ~6.7 x 1040 times longer than the age of the universe to exhaust half of the keyspace of one AES-256 bit key. (taken from previous Ransomware article). It should be noted that many ransomware variants are now using AES 1024 bit encrytion.
Decryption is just the inverse of encryption.
Many variants of ransomware rely on payment through something called Bitcoin. So what exactly is bitcoin, and why use it? Many have said that if bitcoin did not exist there would not be such a problem with ransomware. Let's investigate this more thoroughly. First, what is bitcoin? It is as form of virtual money. To be more exact, google defines it as, "a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank." Wikipedia defines it as, "a digital asset and a payment system invented by Satoshi Nakamoto, who published the invention in 2008 and released it as open-source software in 2009. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain." (it goes on if you are interested) Bitcoin.org defines it as, "[a payment method that] uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system."
Malvertising is a term used with different types of malware. It is a combination of the words malicious and advertising (hence malvertising). This is, most basically, when advertising, instead of sending you to the supposed site of the advertisement, sends you to a clone of the ad site which hosts malware that is downloaded and installed on your computer. Interestingly enough, the problem is most dire because many websites will have third parties that host the advertising on their sites. If the third party's servers are infected with malware, then all the sites that they serve advertisements to may receive malvertising instead of advertising. Definition on google, "the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages." On wikipedia, "the use of online advertising to spread malware."
The most basic definition of doxing is the practice of using personal documents (dox) - with personally identifiable information - to extort money from an individual or company. Wikipedia's defintion is, " ... the Internet-based practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual or organization." There is a definition on reddit that goes as follows, "... refers to the search for, and subusequent publication of private (read: non-public) personal information of people. Specifically, the names, numbers, residences, etc. of users on anonymous sites who aren't figures of entertainment, sports, politics, or other public media, as well as their friends, family, and associates. "
It comes down to extortion. There is no nice way to put it.
Doxware is Doxing combined with ransomware. This is where some malefactor will get you to download malware on your computer that will upload those documents with personal information in them to their own server and then extort money from you, usually in Bitcoin, in order for you to retrieve said information. Remember that the only guarantee you have that your information has NOT been copied, is a criminal's word, who has a financial interest in keeping a copy of those documents.
How to Protect yourself
The only real way to protect yourself from this type of attack is prevention. There are a number of different avenues to help you in this regard. First and foremost, backup, backup and backup. Second, harden your network and/or personal computer to withstand said attacks. Third update all your software, since updates usually have some security aspect. Finally, keep any and all security software up-to-date and active.
Let's first look at backup. A good backup strategy will protect you from nearly everything. But this is nothing to be taken lightly. Backup can be easy, but also needs to be constantly tested and revisited. Remember, if your backup cannot be restored, then it is worse than useless. What your backup strategy is depends on what operating system you use. For instance, If you are a MAC user, the backup system of choice is the one that comes bundled with the operating system, Time Machine. But if you use Time machine, you MUST follow certain minimum precautions.
The first thing you might ask is what is backup, at least what does it mean to me? The definition I use is that backup is basically the way in which you store a copy of your current working data. But why should you backup up at all? It can be summed up in a single sentence, “Any files you do NOT have backed up in at least two places, are files you do not care about.” This means two places OTHER than the originals. And the reasons you might sometime want those backups are too many to list, but several of the categories the reasons would come under are:
But, you ask, how does one backup? What software should you use? What about hardware? In terms of Software, there are a plethora of options available, but there are several Free tools you should not miss using (especially if you are a home user).
Paragon (depending on who you are and what you do, this software may be free for you - Experts Exchange members with at least 50k points can request free copies from here)
Where should one backup to (in all cases storage space is the limiting factor)
Cloud (most cloud plans have an unlimited storage option), I have listed a few
How often should I backup
What is the difference between backups and archives? This may sound like semantics, but the difference is important. Most general users only create backups, while most professional information technology people use both backups and archives. Whatever someone does, a specific and exact plan is a necessity.
Plans/Planning - No matter what you do, you will need to plan out how you will implement your backup strategy. There are various ways to backup, the most common is disk to disk backup. Disk to disk backup means just that, backing up from one disk to another. The second disk is many times not quite as good as the "working" disk, whether this is because of speed, capacity or something else in this case doesn't really matter. The second disk is usually a USB external drive for home users, which should be kept away from the computer when not in use (preferably in a separate room). Disk to cloud is another very common option (crashplan, spideroak, comodo, etc.). Many times D2D and D2C are combined (for instance, disk to disk to cloud). D2C has the added benefit of keeping another copy at a physically different place than the original. Some Information Technology professionals (at least those concerned with backup) will implement either disk to disk to cloud or disk to disk to tape backup scenarios. In many cases the final archive is stored at a place like Iron Mountain.
Bare-metal versus File Backup - I include this section because all too often people confuse these two types of “backup”. Many programs that can do BM backups can also do file backups, but not necessarily the other way around. For instance,
Whether you are a home user or an IT professional, a backup is only good if it works. It is imperative to test out your backup and restore plan to completion. If your backup strategy is an excellent one, but when it comes time to restore and it doesn’t work, you have been wasting your time and resources. This doesn’t have to be gut wrenching. If you don’t have a second system you can test this out on, make a backup of your primary system then test it that way. The best time to do this is when you just buy a system, so that if it doesn’t work there is not a lot to do to rebuild it (most of the time there is a recovery partition that will do it for you, if there isn’t one you can create one with a tool like Paragon suite or Acronis home edition).
First let me explain that I am extremely paranoid about computer security issues and computer backup issues. This means that I only feel safe if I am running unknown programs and visiting unknown sites in a virtual machine. In that way, if anything happens, I simply exit the virtual machine and delete to the last saved image. But since most people do not run VMs, I thought it would be a good idea to delineate the best way to harden your computer against malware (malicious software includes, but is not limited to, virii, adware, malvertising, Browser Helper Objects - BHOs and just about anything else that gets onto your computer which you didn't want there).
So how can you prevent these things from wreaking havoc on your computer? There are several steps you can take. The first thing anyone should do is install a good Antimalware application. An antivirus application is good, an Endpoint Protection application is better. So what is the difference between AV apps and EP apps? There are some basics, many AV applications only prevent virii, while EP apps include
Looking at this list one would think that you wouldn't need anything else, but that would be incorrect. First protection against PUMs is all well and good, but it isn't really robust even in the best of the endpoint solutions. This is also true with rootkit detection. Even the best of the EP solutions don't do as well as the stand alone rootkit detectors. What about keyloggers and programs that make your computer into an internet bot (one of many machines that reports back to a command center host and, many times, unknowingly disseminates malware)?
How can you protect yourself against these perils and against the current spate of ransomeware? I will tell you how I do it and let you draw your own conclusions.
You can even use more than one AV/AM software suite! But there is ONE caveat, never run what most applications call on-access scanning (scanning files as they are accessed or downloaded) from more than one suite. The reason for this is simple and logical. When more than one AV/AM is running on-access scans, they may see each other as performing suspicious activity and end up quarantining or deleting (depending on your settings) necessary files. If you just DISABLE on-access scanning in one of the software suites, you won't run into that kind of trouble.
On one machine I had at home, I ran Microsoft Security Essentials (MSE) with on-access scanning turned off and Malwarebytes Pro (with rootkit scanning turned on - another tidbit of information is that by default this setting is off). I also switched out the hosts file and made the registry changes that Cryptoprevent does automatically for you.
I have only ONCE had any malware problems on either my home or work machines (knock fake wood). The biggest problem any of us face is what has come to be known as the ID10T error (if you don't already know, that means the end user, denoted by leet for idiot, is the problem). The one time I did have a problem on one of my computers, the home one; it was due to a drive-by infection served up by malvertising when my wife visited a legitimate site on a browser installed on our laptop. I bring this up because that was before I installed several pieces of software to prevent that happening again. Since installing the software mentioned above, I have had no problems at all.
I cannot stress enough the importance of having all your software up-to-date. It has often been found that security holes in older versions of software allow intrusions to take place. Keep all software up to date in order to avoid such problems. You should also keep any definitions in your Anti-Virus/Anti-Malware/Anti-Ransomware software as up to date as possible. Although more and more companies are moving away from static definition files, these help more than you would think.
What to do if you have been “Doxxed”
So you have in one way or another been "Doxxed." Your files have either been encrypted and you have received a ransom note telling you that you must either pay or your personally identifiable information files will be published, or you may just receive the note with the same ransom demand. Either way, DO NOT PAY! So you may say, "My files are too important, I need them back right away, so I need to pay." You need to think of this like any other extortion scheme.
So, what can you do? Here are some suggestions.
What does this mean for how you act in the future?
There are several ways to react to this, in my humble opinion, the best way is to be proactive. This means several things. To protect yourself overall, you should be using some sort of encryption. This can be full disk encryption (FDE), File by File encryption (FFE) or Vaulted Encryption (VE). VE is most often used on USB thumbdrives, but can be used anywhere. It is where you encrypt a section of the device you are using and store files you wish to encrypt in that section only. Knox for Android is an example of Vaulted Encryption. FDE is most frequently used on laptops. FDE is an excellent way to protect yourself against this type of attack, although no encryption will protect you against a ransomware attack. FFE is infrequently used, but can be very useful if you have a good handle on what needs to be encrypted. Generally, encryption of any type is a wear on your hardware. Especially with Solid State drives (SSD) which are not rated by speed, but rather by the number of lifetime writes they can handle. Hence, a SSD that has FDE on it will have its life cut at least in half.
Next, make sure you have versioning backup (see the backup section). And make sure you have TWO backups of this backup, all kept up to date.
Protect yourself against the most common attack vectors
NEVER open email attachment from either known or unknown senders which you are not expecting. This may put a crimp in the way you use email, but which scenario causes you more harm and/or costs you more money, not getting some attachment or having to spend several days recovering from an attack because you opened one you shouldn't have? Note that if you like using the reading pane in Microsoft Outlook, you should know it is the exact SAME thing as opening an email. My suggestion is to always turn off the reading pane.
Never click a link in an email or PDF that says "Click here" or "Click me" or "here" or something similar. Hover your mouse over the link and see where it is going to send you. This is the same tactic you should use when receiving emails from people like "Your Email Administrator." These are usually phishing scams.
I went into Malvertising earlier, but to summarize - don't click any ad links on web pages
The primary infection vector from USB devices is the autorun.inf file. This is important since it is rather easier to disable. There are several ways to do this. All of them should disable BOTH autorun and Autoplay. This is a minor inconvenience, you will now need to double click on the CD or USB icon and run any software you wish to use manually. This is fine since you definitely do not want random USB sticks running who knows what on your computer. This study(PDF) found that almost half of dropped USB sticks were picked up and plugged in to a computer by an end user.
But Autorun/Autoplay is not the only problem.
Some (not all) sources
If you have found this article to be useful, click to thumbs up icon to vote it helpful. I will respond to any comments you may have as well. Check out my other articles linked to below.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.