Compliance Management, Malware, Privacy, Threat Management

Researchers spot ransomware evolving into ‘doxware’ to scare victims into paying

As companies grow aware of the threat of ransomware, threat actors are upping the ante with “doxware” by implementing features to ransomware that could leak a victim's data if ransoms aren't paid.

While he couldn't confirm instances of threat actors making good on their promise to leak files, Dunbar Security Solutions Chief Operating Officer Chris Ensey told that his team has examined code in development that would allow a Jigsaw variant to leak a users files.

Ensey said doxware could have the power to “shift the odds in favor of the adversaries” because businesses in particular would be more likely to pay if there is a possibility that sensitive data could be released to the public as opposed to cutting losses starting fresh from backup data as businesses can do with current variants of ransomware. 

Doxware also has the potential to have more of an impact on a mobile level if an attacker seized the contents of a user's phone and threatened to release pictures or messages to people in their contact list, he said.

The new threat tactics aren't without their downside. Ensey said the attacker would need to set up the infrastructures to host a victim's files and potentially release them on demand create limitations in the scalability of the malware. The additional infrastructure could make it easier to trace criminal activity.

“That just creates more exposure for them to get caught or identified,” Ensey said.

He added that in addition to basic cybersecurity hygiene, businesses need to consider segmenting machines that store sensitive data and consider leaving important information air gapped.

Andrew Komarov, chief intelligence officer and InfoArmor, told that he has spotted variants of doxware based on well-known credential grabbers like Pony, along with modified ransomware projects that are available for sale in various underground affiliate networks.

“This type of malware has an attractive business driver for cybercriminals based on privacy concerns of the affected victims,” Komarov said via emailed comments. “The percentage of ransom payments is much higher compared to other ransomware where files are simply encrypted.”

Doxware is the latest attempt by cybercriminals to further weaponize our data by relying on a victim's willingness to pay for privacy, ThinAir Chief Executive Officer Tony Gauda told

“Traditional ransomware campaigns could be easily thwarted by data backups, but when hackers threaten to disseminate data instead of destroying it, users are left with few options besides paying the ransom,” he said via email comments.

If this sort of attack persists, Gauda said he anticipates more individuals and organizations will take steps to assure innovative defenses are in place that render data useless regardless of whose hands (or inbox) it lands in.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.