We’ve all heard a lot about ransomware that makes data inaccessible and/or locks up the computer or device until you pay for the encryption key. Now we’re seeing a variant on that theme that some call doxware, or extortionware, that goes further and threatens to release copies of the private documents, photos, and email messages on your computer to the public if you don’t pay up. It’s just one example of how malware has evolved over the past few years and is becoming more and more aggressive.

Ransomware gets its name from the fact that it holds some or all of your files hostage and demands payment to release them. This particularly heinous type of malware has been around at least since the 1980s, when the incarnation known as AIDS appeared. Various ransomware Trojans have cropped up over the years, but really ramped up a few years ago as Bitcoin offered the opportunity for attackers to easily collect the money without going through traditional channels.

CryptoLocker is one of the best-known examples of ransomware. The original version sprang to life in 2013, distributed via a botnet and malicious email attachments. The next year, the botnet was taken down by a consortium of law enforcement agencies, software vendors, commercial security research companies and academic security research departments at several prominent universities, in Operation Tovar.

Not only was the botnet dismantled, but the private keys used to encrypt victims’ files were seized and made available, so that particular story had a happy ending. Unfortunately, it was far from the end of ransomware, and new extortionist malware programs have “borrowed” the CryptoLocker name even though they aren’t technically variants of it.

Other well-known ransomware attacks include Cryptowall and Reveton for Windows, and KeeRanger on Mac OS X.  Then there’s a whole other category of ransomware that targets smartphone and tablet operating systems.

Extortionware goes mobile

Many people today, especially young people, rarely use desktop or even laptop computers. That doesn’t mean they’ve sworn off the Internet; to the contrary, they’re online all the time, but they do it using mobile devices. So it’s no wonder the ransomware authors have turned their attention to creating malicious code that targets those devices.

As mentioned in the introduction, there are basically two types of ransomware:

  • Those that encrypt your data so you can’t view or use it, called (appropriately enough) encrypting ransomware
  • Those that prevent you from logging onto the computer or device or from using one or more applications (such as your web browser), called blocking ransomware or just blockers.

Note: There is also a variety of scamware called “scareware” that doesn’t really do anything but only threatens to; this includes those email messages that tell you the FBI has found something illegal on your computer and will arrest you if you don’t send money for the “fine.”

Encrypting ransomware is the most popular on desktop operating systems, but they don’t work as well with mobile devices because the data is usually stored in the cloud instead of (or in addition to) on the device where the malware can hijack it. Thus a majority of mobile ransomware programs are blockers.

Popular mobile ransomware blockers include Small, Fusob, Pletor and Svpeng. Small and Fusob combine the “threatware” idea with screen overlays that prevent you from using the apps on your device. Mobile ransomware is often disguised as a legitimate third party app or game, installed as a “drive-by download” from questionable websites, or through links in text messages.

Doxware takes electronic extortion to a new level

Doxing is a relatively new term that refers to the public release of private information about an individual or organization. Doxware does (or threatens to do) exactly the opposite of what traditional ransomware does; instead of locking up your sensitive “docs” and making them inaccessible to you, it makes them accessible to everybody – unless you pay up.

If encrypting and blocking extortionware is analogous to hostage-taking for ransom, doxware is comparable to the blackmailer who demands money to keep your secrets quiet. For this reason, doxware is sometimes also called leakware. Doxware often targets email and word processing files. Mobile variants could release private messages, pictures or contact lists from users’ phones.

Doxware can be more effective than ransomware at invoking a positive (from the attacker’s point of view) response because victims can circumvent regular ransomware encryption by maintaining separate backups of data, or get past blockers by formatting the hard drive and doing a clean restore. However, once an attacker has information that you don’t want made public, there is little you can do to prevent that other than pay up.

The scope of the problem

Even though it’s been with us for a long time, the proliferation of extortionware has exploded over the last few years, and some have dubbed 2016 “the year of ransomware” as both the distribution and the code itself became more sophisticated and touched more and more computer and device users.

I’ve never had to deal with extortionware on my own systems (thanks in part to careful security practices and in part to good luck) but I have a number of friends and relatives from all walks of life, including a few in the IT industry, who have fallen victim to it.  Both individual users and businesses are vulnerable.

An Osterman Research survey in 2016 showed that nearly half of respondents said their organizations that been the victim of a ransomware attack during the previous 12 months. CNN statistics showed $209 million paid to ransomware attackers in the first quarter of 2016, and FBI estimates indicated a likely ransomware loss of $1 billion or more for the year. In addition, the average ransomware demand increased from $294 in 2015 to $679 in 2016.

While that $679 average might not seem like much, smaller amounts extorted from individuals are balanced by much larger ransoms targeting organizations, such as the $3.4 million that cybercriminals demanded from Hollywood Presbyterian hospital in early 2016.

Protecting against extortionware

Obviously extortionware is a big threat and should be on your security radar. So how do you protect your organization from it?

As you might guess, many of the recommended measures are the same used to protect against other types of malware:

  • Keep your OS and applications updated and install all security patches with a solution like GFI LanGuard
  • Back up important files regularly to a site that is disconnected when not backing up (to prevent ransomware from also encrypting your backup files)
  • Authenticate inbound email
  • Implement ad blocking on web browsers since malware is often delivered through “malvertisements,” even on legitimate sites
  • Disable unneeded services (CryptoLocker, for example, often targeted machines using Remote Desktop Protocol, so disabling RDP if you don’t use it helps protect against it)

Educate users in safe computing practices and reinforce the importance on a regular basis:

  • Don’t click on links in email, texts, and on web sites you don’t trust
  • Show hidden file extensions so executables can’t be disguised as PDFs or JPGs or other more innocuous file types
  • Don’t visit questionable web sites (porn, warez, music piracy sites, hacker forums, etc.)
  • Don’t download mobile apps from untrusted sources

Several of the popular security vendors offer security suites to protect against malware, including extortionware. They also offer mobile security solutions that are designed to scan your phone or tablet and check apps against their databases of known threats, and can also warn you of websites that are infected with ransomware (or other malware).

Most experts recommend that you not pay the ransom as this encourages the criminals – and in many cases victims have paid and never received the keys, or received keys that didn’t work. Remember that criminals, by definition, are not trustworthy and are prone to not keeping their promises.


Extortionware is big business and becoming more so. Companies and other large organizations are prime targets because they’re seen as having deep pockets.

GFI Software has a suite of products which can decrease the risk of falling victim to extortionware and with our GFI Prime program you can get a FREE solution for each product, such as GFI LanGuard, that you buy. Learn more about GFI Prime here.  

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.