doxes

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files encrypted by DOXES ransomware are marked with the extension .DOXES.
  • Renaming Convention: After encryption the malware keeps the original file name and appends “.DOXES” to it (e.g., Report_Q4.docx becomes Report_Q4.docx.DOXES). There is currently no embedded campaign-ID or e-mail address in the renamed files.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: DOXES was first reported by victims in mid-October 2023 with a sharp spike in submissions through the second week of November 2023, identifying it as a late-2023 campaign in the scope of ESXi-targeting “LockerGoga-like” operations.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. VMware ESXi hypervisor exploitation
    • Initial access gained by brute-forcing or phished ESXi admin credentials, followed by abuse of VMware APIs (/ui/esxi/script) to upload the ELF binary doxes or doxes_locker directly into /tmp.
  2. ProxyLogon & ProxyShell email exploitation
    • Servers running outdated Exchange 2016 or 2019 instances have been observed downloading PowerShell loaders (bb6a.ps1) that subsequently deploy DOXES.
  3. Cracked software installer bundles
    • DAEMON Tools Ultimate and pirated Adobe installers circulating on popular warez forums drop the Windows variant (DOXES.exe).
  4. RDP lateral movement
    • In tenant networks where ESXi is already compromised, DOXES operators use WMI to push the binary over SMB (ADMIN$ or C$ shares) to Windows servers/workstations to maximize reachable data volumes before encryption kicks off.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Harden ESXi root and vCenter accounts: strictly enforce 15+-character passphrases, enable built-in lock-out policy (Security.AccountLockFailures), disable SSH if unused.
  • Patch Exchange, Windows and ESXi regularly; prioritize fixes against CVE-2021-34473 (ProxyShell) and VMware ESXi Advisory VMSA-2021-0010.
  • Segment storage/VLANs so ESXi management, VM traffic and backup networks reside on separate networks with a deny-by-default firewall rule set.
  • Restrict vSphere API endpoints (/sdk, /ui) to only dedicated admin jump hosts via VPN and MFA.
  • Backups: insist on immutable or off-line backups (S3 with Object Lock, Veeam Hardened Repository). Test restores monthly.

2. Removal

  • Infection Cleanup:
  1. Asset isolation
    • Physically or logically pull infected ESXi hosts and Windows machines from the production network.
  2. Kill malicious processes
    • On ESXi: use the ESXi Shell to kill -9 $(pidof doxes) and delete /tmp/doxes* ELF binaries.
    • On Windows: open Safe Mode with Networking, disable the service DoxSvc and terminate the parent powershell.exe or cmd.exe process.
  3. Startup persistence removal
    • Windows Registry: check HKLM\Software\Microsoft\Windows\CurrentVersion\Run and remove any “doxes.exe” value.
    • ESXi: remove lines added by the malware to /etc/rc.local.d/local.sh or /etc/rc.local that call doxes.
  4. Re-image or reinstall if tampering is extensive
    • Apply a clean ESXi image from vendor media (always check SHA-256 checksums).
  5. Patch the exploited vector (Exchange, RDP, etc.) before re-connecting.

3. File Decryption & Recovery

  • Recovery Feasibility: There is no publicly available decryptor. DOXES uses ECDH over secp256k1 to generate a per-host AES-256 key that is then encrypted with the attackers’ public key. Keys are exfiltrated; without the gang’s private key or an intact offline key-cache, decryption is currently impossible.
  • Essential Tools/Patches:
  • Kaspersky’s RakhniDecryptor and Emsisoft Decryptor do not cover DOXES yet—track NoMoreRansom.org listings.
  • 2023-11 ESXi cumulative patch (build-13.3) & November/B Dec 2023 updates for Windows/Exchange (they disable older TLS ciphers leveraged by DOXES loaders).
  • ESXi File Integrity Monitoring: VMware vSphere 8 File Integrity subsystem with attestation token to detect rogue ELF binaries.

4. Other Critical Information

  • Unique Characteristics:
  • DOXES deliberately skips virtual machine configuration files (*.vmx, *.vmdk.descriptor) so that victims can still power machines on after encryption. This is not altruism—it forces organizations to remain online and reveals the impact visibly, increasing ransom payment pressure.
  • When it finishes encryption, DOXES drops HOW-TO_DECRYPT_FILES.txt in every folder ingested. The ransom note is unusual because it actually threatens to publicly dump the stolen vmdk snapshots on deep-web forums (double-extortion), but the deadline shrinks from 72 h to 24 h if the victim contacts them through an open channel (instead of TOX), pointing to operational insecurity.
  • Broader Impact:
  • MSPs and cloud hosters running multi-tenant ESXi environments have borne the heaviest losses—one incident at a mid-sized German hoster encrypted >820 VMs across 11 nodes in under 6 minutes.
  • Because DOXES couples a Linux (ESXi) and Windows payload, hybrid on-prem/Data-Center infrastructures face near-simultaneous encryption of both guest data and hypervisor storage, inflating both operational downtime and ransoms.

Immediate actions for anyone discovering .DOXES files

  1. Do not reboot affected ESXi servers—some variants overwrite key memory pages where encryption keys could be recovered. Freeze the host, take memory images (vol.py or WinPmem/FTK Imager) for potential forensic extraction.
  2. Preserve a full backup of the encrypted dataset before any recovery attempts—sometimes a key is published months later.
  3. Report the IOCs (file hashes, ransom wallet, IP/port 192.168.x.x:33492) to your national CERT or the FBI Internet-Crime Complaint Center to feed cross-victim correlation.

Stay vigilant and layer your defenses: ESXi security hardening, authentication hygiene, endpoint control, and immutable backups are the best answers to DOXES today.