August 27, 2020

The Rise of Doxware - Capable Ransomware

Written by: Josh Campbell

Ransomware is not a new threat. While the first ransomware is thought to have appeared in 2012, it wasn’t until 2014 that organizations really began to sit up and take notice of the threat this malware category posed to the Internet community as a whole. So effective was this concept – encrypting a person or organization’s data and demanding a subsequent payment (or ransom) in order to decrypt it – that the malware marketplace quite nearly exploded with hundreds of malware authors offering new types of ransomware with varying feature sets to actors looking to capitalize on this novel and profitable concept.

And capitalize on it they did. In 2015, ransomware was estimated to have caused around US$325 million in damages and ransom payments, according to Microsoft.[1] However, as time progressed that number would continue to increase at a nearly exponential rate, reaching a staggering US$5 billion in damages and ransom payments by 2017;[2] and, by 2019 that number had more than doubled to US$11.5 billion.[3]

With this continued growth in ransomware, malware authors and threat actors alike have been forced to continuously improve the malware itself as well as their tactics, techniques, and procedures (TTPs) in order to combat security controls and remain profitable. This has spawned a litany of different techniques which have been adopted by authors and actors alike, including: time-based ransoms, where the ransom increases based on time; sample files, where the actor allows victims the opportunity to decrypt a small number of files as evidence of their capability; and, far more targeted ransomware attacks, as opposed to the widespread campaigns that were observed early on.

However, one of the more worrisome trends in 2020 is that increasingly more malware authors and actors have begun to implement the use of a new ransomware functionality which has been popularly referred to as “doxware” (a port manteau of the terms “doxing,” which is itself the practice of releasing personally identifiable information (PII), and “ransomware”).

The basic concept of doxware is similar to any other type of ransomware, but with one key difference. Whereas most ransomware families will encrypt the data on victims’ systems and demand a ransom payment for the decryption of that data, doxware will also begin exfiltrating the same files it is encrypting to attacker-controlled infrastructure. In doing this, not only can the attacker demand a ransom for the safe decryption of the data, but should a ransom not be paid, the attacker can also threaten to disclose sensitive, confidential or even embarrassing data publicly.




The success of this new functionality has been undeniable. In only a few short months in 2020, the number of ransomware families that have adopted it has grown to at least 14. While that number may not seem particular noteworthy when compared to the over 1100 ransomware families thought to exist, it is of note that the 14 families of doxware are operated by the most prolific and advanced of the ransomware actors. This has inevitably led to some extremely high profile, at times embarrassing, compromises and subsequent leaks.

It is also worth noting that as these advanced actors continue to perfect their tradecraft through high profile compromises, it is highly likely that less advanced actors, seeing the overall success of these compromises, will also adopt these techniques as well.

Cyborg Security has compiled a list of the 14 significant doxware-capable ransomware families known to exist.



Darkside Ransomware (also referred to as Dark Side).

Conti Ransomware (also known as CONTI) i

Sodinokibi Ransomware (also known as REvil, and Sodin)

MAZE Ransomware

CL0P Ransomware (spelled variously as C|0P, cl0p, and c1op)

Sekhmet Ransomware

NEMTY Ransomware (Nefilim, Nephilim)

Doppelpaymer Ransomware

Ragnar Locker

NetWalker Ransomware

AKO Ransomware

Pysa Ransomware (also referred to as Mespinoza)

Avaddon Ransomware

About the Author