Doxware - ransomware gets nastier

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.

There is always a need to define the terms you use, before assuming everyone else will understand what you are saying.  In this case, we want everyone to be on the same page, so to speak, during any discussion of Doxware.  If this is the first article you are reading about the subject, you may not be familiar with any of the terms.  So I will start with the most basic, ransomware.

Ransomware is any software that attempts to hold your files for ransom, hence the term ransomware.  Definitions for the term ransomware vary.  Google defines ransomware as "a type of malicious software designed to block access to a computer system until a sum of money is paid."  Wikipedia defines it as "a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file; thus, ransomware is an access-denial type of attack that prevents legitimate users from accessing files."  Techtarget defines it as " malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key. "  And the PCTools website defines it as "a category of malware that demands some form of compensation, a ransom, in return for data or functionality held hostage."  It must be noted that crypto-ransomware is a subset of the ransomware category.  When I refer to ransomware I am, for the most part, referring to crypto-ransomware, which - according to Symantec's ISTR report on Ransomware and Businesses 2016 - is currently the largest portion of the ransomware family (see chart below from the report).


Most ransomware uses some form of encryption to make it impossible for the infected user to access his/her files.  Since encryption is so integral to ransomware, lets try to give a basic definition of that as well.  Once again, let's start with google's definition, "To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text ;encrypted data is referred to as cipher text."  Wkipedia defines encryption as, "the process of encoding messages or information in such a way that only authorized parties can read [them]."  The best explanation of 256 bit AES encryption is located here.  I summed it up previously with this paragraph: Even if you had machines that could decode at gigaflop (a billion Floating point Operations Per Second – FLOPS) rates, and were able to hook a billion of these computers together, since AES 256 bit encryption has 2256 different possible combinations.  It would take ~6.7 x 1040 times longer than the age of the universe to exhaust half of the keyspace of one AES-256 bit key. (taken from previous Ransomware article).  It should be noted that many ransomware variants are now using AES 1024 bit encrytion.

Decryption is just the inverse of encryption.

Many variants of ransomware rely on payment through something called Bitcoin.  So what exactly is bitcoin, and why use it?  Many have said that if bitcoin did not exist there would not be such a problem with ransomware.  Let's investigate this more thoroughly.  First, what is bitcoin?  It is as form of virtual money.  To be more exact, google defines it as, "a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank."  Wikipedia defines it as, "a digital asset and a payment system invented by Satoshi Nakamoto, who published the invention in 2008 and released it as open-source software in 2009. The system is peer-to-peer; users can transact directly without an intermediary. Transactions are verified by network nodes and recorded in a public distributed ledger called the block chain." (it goes on if you are interested) defines it as, "[a payment method that] uses peer-to-peer technology to operate with no central authority or banks; managing transactions and the issuing of bitcoins is carried out collectively by the network. Bitcoin is open-source; its design is public, nobody owns or controls Bitcoin and everyone can take part. Through many of its unique properties, Bitcoin allows exciting uses that could not be covered by any previous payment system."

Malvertising is a term used with different types of malware.  It is a combination of the words malicious and advertising (hence malvertising).  This is, most basically, when advertising, instead of sending you to the supposed site of the advertisement, sends you to a clone of the ad site which hosts malware that is downloaded and installed on your computer.  Interestingly enough, the problem is most dire because many websites will have third parties that host the advertising on their sites.  If the third party's servers are infected with malware, then all the sites that they serve advertisements to may receive malvertising instead of advertising.  Definition on google, "the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages."  On wikipedia, "the use of online advertising to spread malware."


The most basic definition of doxing is the practice of using personal documents (dox) - with personally identifiable information - to extort money from an individual or company.  Wikipedia's defintion is, " ... the Internet-based practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual or organization."  There is a definition on reddit that goes as follows, "... refers to the search for, and subusequent publication of private (read: non-public) personal information of people. Specifically, the names, numbers, residences, etc. of users on anonymous sites who aren't figures of entertainment, sports, politics, or other public media, as well as their friends, family, and associates. "

It comes down to extortion.  There is no nice way to put it.

Doxware is Doxing combined with ransomware.  This is where some malefactor will get you to download malware on your computer that will upload those documents with personal information in them to their own server and then extort money from you, usually in Bitcoin, in order for you to retrieve said information.  Remember that the only guarantee you have that your information has NOT been copied, is a criminal's word, who has a financial interest in keeping a copy of those documents.

How to Protect yourself

The only real way to protect yourself from this type of attack is prevention.  There are a number of different avenues to help you in this regard.  First and foremost, backup, backup and backup.  Second, harden your network and/or personal computer to withstand said attacks.  Third update all your software, since updates usually have some security aspect.  Finally, keep any and all security software up-to-date and active.

Let's first look at backup.  A good backup strategy will protect you from nearly everything.  But this is nothing to be taken lightly.  Backup can be easy, but also needs to be constantly tested and revisited.  Remember, if your backup cannot be restored, then it is worse than useless.   What your backup strategy is depends on what operating system you use.  For instance, If you are a MAC user, the backup system of choice is the one that comes bundled with the operating system, Time Machine.  But if you use Time machine, you MUST follow certain minimum precautions.

  1. You will need at least two physical local external drives of approximately the same size
    1. The procedure for using Time Machine in the ransomware era is to have one of your external drives plugged in so it can back up.
  2. You will need to have at least one remote backup location (dropbox does not count)

The first thing you might ask is what is backup, at least what does it mean to me?  The definition I use is that backup is basically the way in which you store a copy of your current working data.  But why should you backup up at all?  It can be summed up in a single sentence, “Any files you do NOT have backed up in at least two places, are files you do not care about.” This means two places OTHER than the originals. And the reasons you might sometime want those backups are too many to list, but several of the categories the reasons would come under are:

  1. Catastrophic loss
  2. Irreparable harm
  3. Virii
  4. Accidental deletion

But, you ask, how does one backup?  What software should you use? What about hardware?  In terms of Software, there are a plethora of options available, but there are several Free tools you should not miss using (especially if you are a home user). 

  1. DriveImageXMLfrom Runtime software
  2. CrashPlanlocal from Code42
  3. indows built-in backup tools (Microsoft)
  • Windows 7

  1. Windows Backup which also creates an image to restore from

  2. You can also create restore disks from this tool

  3. System Restore is your friend – never turn it off, but remember that it won’t save those restore points indefinitely. And SR is generally the first thing that is targeted by virii.
  • Windows 8.x

  1. Does everything that Windows 7 tools do

  2. File Backup acts like MAC Time Machine, but only for specified files

  3. Windows 8.x can go back to factory defaults even if you have never backed up.
  • Windows 10.x
  1. Has all tools of previous windows operating systems
  2. File History Backup – acts like MAC Time Machine but is limited to only a few Directories

Paragon (depending on who you are and what you do, this software may be free for you - Experts Exchange members with at least 50k points can request free copies from here)

  1. Paid (to name a few)
    1. Paragon
    2. Novabackup
    3. Crashplan


  1. Raid - RAID is a type of automatic backup.  It is setup, depending on the type of RAID, to allow you to have multiple disks so that if one fails you can replace it and the other disks will repopulate it with the data it needs.

Where should one backup to (in all cases storage space is the limiting factor)

  1. Local
  2. USB drive - larger and larger external USB drives are available for very little money.
  3. Network drive
  4. Thumbdrive - unless you have a very large thumbdrive and a small harddrive/SSD you will most likely not be able to make a complete backup with this method.

Cloud (most cloud plans have an unlimited storage option), I have listed a few

  1. Amazon Web Services (AWS)
  2. Crashplan http://www.code42com/crashplan/
  3. Spideroak
  4. Carbonite
  5. Comodo
  6. Druva inSync

How often should I backup

  1. Before making any major changes
  2. If possible, before any changes
  3. At least once a week

What is the difference between backups and archives? This may sound like semantics, but the difference is important. Most general users only create backups, while most professional information technology people use both backups and archives. Whatever someone does, a specific and exact plan is a necessity. 


  1. According to SNIA’s online dictionary, the terms are defined as follows:
    1. Backup: A collection of data stored on (usually removable) non-volatile storage media for purposes of recovery in case the original copy of data is lost or becomes inaccessible; also called a backup copy.
    2. Archive: A collection of data objects, perhaps with associated metadata, in a storage system whose primary purpose is the long-term preservation and retention of that data.
  2. From blog (read more from this blog)
    1. Backup – When backing up your data, you are protecting both active and inactive information which encompasses all of your production data.  As part of the process, you are copying your vital information to a backup target such as disk or tape.  It is critical to recognize that a backup is a copy of production information and the actual data still resides on the production storage systems.  Thus, if your backup system suffers a catastrophic data loss, your operations could still continue normally since your production data would not be impacted; however, you would be operating at an elevated risk.
    2. Archive – Archive solutions solve a different problem.  These technologies are typically used to maintain older or inactive data for extended periods of time.  Archive systems typically move older or inactive information off of primary storage to dedicated systems which are optimized for low cost long-term storage.  A key differentiator from backup is that the data stored in an archive is actual production data and hence a loss of an archive system will result in permanent loss of production information. (To be fair, the information will likely be older and less active, but unlike backup, it is the only copy of the data.)

Plans/Planning - No matter what you do, you will need to plan out how you will implement your backup strategy. There are various ways to backup, the most common is disk to disk backup. Disk to disk backup means just that, backing up from one disk to another. The second disk is many times not quite as good as the "working" disk, whether this is because of speed, capacity or something else in this case doesn't really matter. The second disk is usually a USB external drive for home users, which should be kept away from the computer when not in use (preferably in a separate room). Disk to cloud is another very common option (crashplan, spideroak, comodo, etc.). Many times D2D and D2C are combined (for instance, disk to disk to cloud).  D2C has the added benefit of keeping another copy at a physically different place than the original. Some Information Technology professionals (at least those concerned with backup) will implement either disk to disk to cloud or disk to disk to tape backup scenarios. In many cases the final archive is stored at a place like Iron Mountain.

Bare-metal versus File Backup - I include this section because all too often people confuse these two types of “backup”. Many programs that can do BM backups can also do file backups, but not necessarily the other way around. For instance,

  1. Paragon software can do
    1. Partition/disk backup which can then be extracted file by fil
    2. Partition to Virtual machine (P2V) backup
    3. Bare-metal backup
  2. DriveImageXML can do both
    1. It creates a baremetal backup which can be extracted in toto or file by file.
  3. Bare-Metal Restore definition on Wikipedia Bare Metal restores can be made to the same or different hardware (depending on the software that creates the bare metal backup), but either way the restore contains the Operating system and all programs and setting that were on the system that was backed up (imaged).
  4. File Restore is a file by file restore of data to the same system or to a different system, but either one must already have an operating system installed.


Whether you are a home user or an IT professional, a backup is only good if it works. It is imperative to test out your backup and restore plan to completion. If your backup strategy is an excellent one, but when it comes time to restore and it doesn’t work, you have been wasting your time and resources. This doesn’t have to be gut wrenching.  If you don’t have a second system you can test this out on, make a backup of your primary system then test it that way. The best time to do this is when you just buy a system, so that if it doesn’t work there is not a lot to do to rebuild it (most of the time there is a recovery partition that will do it for you, if there isn’t one you can create one with a tool like Paragon suite or Acronis home edition).

Multi-Layered Security

First let me explain that I am extremely paranoid about computer security issues and computer backup issues.  This means that I only feel safe if I am running unknown programs and visiting unknown sites in a virtual machine.  In that way, if anything happens, I simply exit the virtual machine and delete to the last saved image.  But since most people do not run VMs, I thought it would be a good idea to delineate the best way to harden your computer against malware (malicious software includes, but is not limited to, virii, adware, malvertising, Browser Helper Objects - BHOs and just about anything else that gets onto your computer which you didn't want there).

So how can you prevent these things from wreaking havoc on your computer?  There are several steps you can take.  The first thing anyone should do is install a good Antimalware application.  An antivirus application is good, an Endpoint Protection application is better.  So what is the difference between AV apps and EP apps?  There are some basics, many AV applications only prevent virii, while EP apps include

  • website malware protection
  • protection against potentially unwanted programs (PUPs)
  • protection against potentially unwanted modifications (PUMs)
  • general malware protection
  • rootkit scanning/protection
  • unwanted adware protection

Looking at this list one would think that you wouldn't need anything else, but that would be incorrect.  First protection against PUMs is all well and good, but it isn't really robust even in the best of the endpoint solutions.  This is also true with rootkit detection.  Even the best of the EP solutions don't do as well as the stand alone rootkit detectors.  What about keyloggers and programs that make your computer into an internet bot (one of many machines that reports back to a command center host and, many times, unknowingly disseminates malware)?

How can you protect yourself against these perils and against the current spate of ransomeware?  I will tell you how I do it and let you draw your own conclusions.  

  • The first thing I install on any machine is a good endpoint protection suite.  I prefer Malwarebytes Pro (remember you get what you pay for - yes the free version is good, but if you want constant protection, pay the miniscule amount of money and get the pro version).
  • Next I install WinPatrol Plus.  This app has been around a long time and has gotten a lot better with age.  It monitors certain default locations and files you specify for changes and asks you if you really want that change made.  It also has some great other features like delayed startup.  If you keep an eye out you can get it on sale (I got 3 copies for 0.99 each some time ago).
  • I install an alternate hosts file from, which remaps all currently known malware sites to, which is your computer.  So if you click a link that would take you to one of these sites, you'll get an error message instead (assuming you aren't running an http server with a mapping for
  • If you are afraid your computer may get botted, you can install the free RUBotted from Trend Micro.
  • To protect yourself from ransomeware (see this article), you should install something like Cryptoprevent (free or Premium), Hitmanpro.Alert, Cryptoguard, Umbrella - for networks, or check this page for a toolkit. (all of this is discussed in more detail in the article on ransomeware, as is multilayered security)

You can even use more than one AV/AM software suite! But there is ONE caveat, never run what most applications call on-access scanning (scanning files as they are accessed or downloaded) from more than one suite.  The reason for this is simple and logical.  When more than one AV/AM is running on-access scans, they may see each other as performing suspicious activity and end up quarantining or deleting (depending on your settings) necessary files.  If you just DISABLE on-access scanning in one of the software suites, you won't run into that kind of trouble.

On one machine I had at home, I ran Microsoft Security Essentials (MSE) with on-access scanning turned off and Malwarebytes Pro (with rootkit scanning turned on - another tidbit of information is that by default this setting is off).  I also switched out the hosts file and made the registry changes that Cryptoprevent does automatically for you.

I have only ONCE had any malware problems on either my home or work machines (knock fake wood).  The biggest problem any of us face is what has come to be known as the ID10T error (if you don't already know, that means the end user, denoted by leet for idiot, is the problem).  The one time I did have a problem on one of my computers, the home one; it was due to a drive-by infection served up by malvertising when my wife visited a legitimate site on a browser installed on our laptop.  I bring this up because that was before I installed several pieces of software to prevent that happening again.  Since installing the software mentioned above, I have had no problems at all.

I cannot stress enough the importance of having all your software up-to-date.  It has often been found that security holes in older versions of software allow intrusions to take place.  Keep all software up to date in order to avoid such problems.  You should also keep any definitions in your Anti-Virus/Anti-Malware/Anti-Ransomware software as up to date as possible.  Although more and more companies are moving away from static definition files, these help more than you would think.

What to do if you have been “Doxxed”

So you have in one way or another been "Doxxed."  Your files have either been encrypted and you have received a ransom note telling you that you must either pay or your personally identifiable information files will be published, or you may just receive the note with the same ransom demand.  Either way, DO NOT PAY!  So you may say, "My files are too important, I need them back right away, so I need to pay." You need to think of this like any other extortion scheme. 

  • You are dealing with Criminals
  • They have digital copies of your files
  • You will NEVER know if they have made copies
  • If you pay they are likely to come back and ask you to pay AGAIN

So, what can you do?  Here are some suggestions.

  1. First and foremost
    1. Change any and all passwords that can be accessed from your computer
      1. Any unencrypted passwords
      2. Any bank passwords
      3. Any passwords you have stored in your browser
    2. Cancel any accounts you may have where the credentials are stored on your computer
    3. Change your social media accounts (yes the name on the accounts)
      1. Skype
      2. Twitter
      3. Facebook
      4. LinkedIn
      5. etc
    4. Notify ALL your contacts that your accounts have been hacked and to disregard any information they may receive, unless accompanied by some code passphrase in the subject line
    5. You can no longer trust the computer that was infected.  For all you know there is a keylogger on it that will send all your new passwords back to the criminal.  The best scenario is to restore from backup, if you have a good one.  If that is not a possibility, You will need to do what is known as reimaging your computer, which just means reformatting and reinstalling everything.  There are several steps in this process alone - which would require another article, but the basics are relatively easy.
      1. Destroy all the data on your current drive by using something like Darik's Boot N' Nuke
        1. use the autonuke feature
      2. Reinstall Windows and your software
      3. The best way to do this is to use cloning software at least once a week to "Clone" your hard disk drive or SSD.  In this way all you need to do is take the old drive out and put the "new" cloned drive in it's place.

What does this mean for how you act in the future?

There are several ways to react to this, in my humble opinion, the best way is to be proactive.  This means several things.  To protect yourself overall, you should be using some sort of encryption.  This can be full disk encryption (FDE), File by File encryption (FFE) or Vaulted Encryption (VE).  VE is most often used on USB thumbdrives, but can be used anywhere.  It is where you encrypt a section of the device you are using and store files you wish to encrypt in that section only.  Knox for Android is an example of Vaulted Encryption.   FDE is most frequently used on laptops.  FDE is an excellent way to protect yourself against this type of attack, although no encryption will protect you against a ransomware attack.  FFE is infrequently used, but can be very useful if you have a good handle on what needs to be encrypted.  Generally, encryption of any type is a wear on your hardware.  Especially with Solid State drives (SSD) which are not rated by speed, but rather by the number of lifetime writes they can handle.  Hence, a SSD that has FDE on it will have its life cut at least in half.

Next, make sure you have versioning backup (see the backup section).  And make sure you have TWO backups of this backup, all kept up to date.

Protect yourself against the most common attack vectors


NEVER open email attachment from either known or unknown senders which you are not expecting.  This may put a crimp in the way you use email, but which scenario causes you more harm and/or costs you more money, not getting some attachment or having to spend several days recovering from an attack because you opened one you shouldn't have?  Note that if you like using the reading pane in Microsoft Outlook, you should know it is the exact SAME thing as opening an email. My suggestion is to always turn off the reading pane.

Never click a link in an email or PDF that says "Click here" or "Click me" or "here" or something similar.  Hover your mouse over the link and see where it is going to send you.  This is the same tactic you should use when receiving emails from people like "Your Email Administrator."  These are usually phishing scams.


I went into Malvertising earlier, but to summarize - don't click any ad links on web pages

USB infections

The primary infection vector from USB devices is the autorun.inf file.  This is important since it is rather easier to disable.  There are several ways to do this.  All of them should disable BOTH autorun and Autoplay.  This is a minor inconvenience, you will now need to double click on the CD or USB icon and run any software you wish to use manually.  This is fine since you definitely do not want random USB sticks running who knows what on your computer. This study(PDF) found that almost half of dropped USB sticks were picked up and plugged in to a computer by an end user.

  1. Flash disinfector
  2. Usb-set
  3. Panda USB Vaccine
  4. Registry edit to disable autorun

But Autorun/Autoplay is not the only problem.

Some (not all) sources


If you have found this article to be useful, click to thumbs up icon to vote it helpful.  I will respond to any comments you may have as well.  Check out my other articles linked to below.

Thomas Zucker-ScharffSenior Data Analyst
Veteran in computer systems, malware removal and ransomware topics.  I have been working in the field since 1985.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.