The ransomware business model is simple and effective:

trick people into running code that locks them out of the files they need (or even threaten to delete them), and demand money or else.

It's a lucrative criminal enterprise when done at internet scale, so far, ransomware has proven relatively risk-free for blackmailers. Hospitals in particular have turned out to be low-hanging fruit for ransomware bandits. Health institutions cannot afford IT system downtime for their patients' sake, yet don't have the budgets to build solid defence against digital blackmail.

The target market of potential victims is getting wise to ransomware though, backing up frequently to have clean system copies, so that they can restore encrypted, locked up files. How could criminals improve on ransomware then?

Advertisement

What if instead of denying access to important user data, the crims were to threaten to release it on the internet?

That's called "d0xing", which comes from documenting, and it's a tactic used to smear people by releasing their data on the internet. Depending on context, everyone has something to hide, and d0xing can be devastating for victims.

It can be anything, from a vulnerable person's home address and phone number, to your browsing history, bank details and online purchases. Malicious people can turn almost any information tidbit against you.

Now, combine ransomware with d0xing, and you get d0xware.

This is malware that once running on your computer not only locks up your files, but as an added incentive to pay the ransom, collects personal data, uploads it to a server and threatens.

A US security vendor picked up on a few additional lines on the ransom demand for the Jigsaw malware whose creator has been extremely aggressive in past versions, deleting victims' files if no money was paid before the deadline ran out.

The threat of file deletion clearly didn't cut it, so now there's d0xing thrown into Jigsaw too.

This updated version of Jigsaw now apparently collects "all Logins, Contacts, email, Passwords and Skype history" and uploads the data to a server.

Victims get 72 hours to pay US$5,000 in Bitcoin (approximately NZ$6,680), or Jigsaw will start deleting files. The kicker is that the malware author threatens to send messages to all the victims' contacts, "sharing with them every private conversation or email of yours I could find."

Another ugly twist with d0xware is that once the criminals have your embarrassing and damaging data, what's to stop them from demanding ransom more than once?

SHARE THIS QUOTE:

That's next-level crazy and nastiness, and it's a powerful threat especially if say a politician or medical professional is hit by Jigsaw. Some people might have skeletons in their cupboards that they want to keep in there, others have confidential information on people that would be harmful to release.

It's easy for d0xware extortionists to automate the process, and send out confidential information, without any human interaction. D0xware could go beyond embarrassing people, and be a danger to their lives if for instance a political dissident is hit by the malware and a repressive regime gets hold of that person's contacts and private messages.

Ransomware and malware writers collaborate and copy each other's stuff freely, and you can expect the d0xware concept to become more commonplace unfortunately. The risk is too low, and the rewards are too high for that not to happen.

If you send anything sensitive, embarrassing, private or otherwise risky stuff, use strong encryption.

SHARE THIS QUOTE:

Another ugly twist with d0xware is that once the criminals have your embarrassing and damaging data, what's to stop them from demanding ransom more than once?

There's no guarantee that data copied from victims' computers will be deleted even if ransom has been paid, and there's no way to verify this has happened.

Just like with normal ransomware, there will be desperate people who pay the extortionists in the hope that their files will be unlocked and not spread throughout the internet; it's easy to say "don't give in to blackmail" when it's not you who's caught between a rock and a hard place, but paying the ransom only encourages the criminals and copycats.

So far, police working with security vendors have only had modest success in tracking down the people behind the scourge of ransomware, as is apparent in the rising number of attacks.

Try not to become a victim in the first place, keep your defenses up, don't trust strange files that you don't know what they do, and back up your systems frequently. If you send anything sensitive, embarrassing, private or otherwise risky stuff, use strong encryption. That way the data captured is useless to anyone else, even if it's dumped on the internet.