Ransomware Operators “Up the Ante” with Doxware

As organizations prepare for ransomware attacks by improving their back-up and restore procedures, ransomware operators are inventing new ways to ensure their victims “pay out” once they’ve been infected. According to Ars Technica, both Maze and REvil ransomware groups are “doxing” victims that don’t pay up on time.

Doxing, or doxxing (from “dox”, abbreviation of documents), is the Internet-based practice of posting private or sensitive information about an organization—especially information stolen as part of a data breach.

According to cyber crime correspondent, Brian Krebs:

“Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.”


This new form of ransomware, dubbed “doxware” has yet to become the prevalent form of ransomware, but it represents an ominous shift in cyber-criminal tactics, which are constantly evolving and improving to maximize ransomware effectiveness and profitability.

What can you do?  The appearance of doxware on the cybersecurity scene is proof that organizations can’t “insure” their way out of cybersecurity risks or rely on a single security solution (back-ups) to protect their organizations from damage to their reputations or compromise of their sensitive data. Resilient cybersecurity programs are built not only on “prevention,” but detection and response measures. PLEX recommends organizations perform comprehensive cybersecurity assessments to identify gaps in their cybersecurity protections and build long-term programs to address those gaps.

See also: https://www.darkreading.com/attacks-breaches/ransomware-has-evolved-and-its-name-is-doxware/a/d-id/1327767

By Terry Bradley, Vice President at PLEX