How to combat Doxware?

Question

There is seemingly very little information available about the emergence of ransomware; doxware.

I could only find a couple of news articles suggesting that doxware encrypts your files, but also copies them over to the attacker.

Current (server side) anti ransomware software kicks off a client when it detects that a lot of filenames are being changed. This will prevent your files from being encrypted but doesn't protect your files from being copied over to an attacker.

I read that Doxware variants have so far only been used in targeted attacks. However, it's very easy to integrate Doxware in automated malware. I'm actually surprised that there haven't been very large and automated attacks yet.

How do you defend against doxware (except from training your users not to click on rogue emails)?

Answer 1

You defend against malicious actions by first identifying those malicious actions. Ransomware can show itself by high numbers of "rename" actions. That's a quick and easy way to identify malicious actions that are unlikely legitimate.

If doxware does not do this, then yes, you need another "indicator of compromise" to look for. Like a lot of other malware, looking for high numbers of file access and high outgoing bandwidth can be one way of doing that.

As with ransomware, whitelisting processes and applications can block infections before they occur.

I think the reason why we are not seeing a huge outbreak of this sort of attack is because an opportunistic attacker is not going to have the resources to handle a million user's files, and trying to collect them all would make them stand out on the Internet (high volumes of traffic). So, it will be targetted attacks where this would be used. But that is not new at all. Many malware have existed for a long time that do this (RATs being the first one that comes to mind).

The more dangerous variant is a 'doxware' that only looks for a particular file or a small set. This would be impossible to detect.