In addition to encrypting victims’ data and requesting a ransom payment, the new “AXLocker” ransomware family also steals afflicted users’ Discord accounts. Discord sends back a user authentication token kept on the PC when a user signs in with their credentials. The user may then log in using this token or send API queries to get data from the connected account.
Threat actors frequently try to steal these tokens because they allow them to hijack accounts or exploit them for other malicious attacks. Since NFT platforms and cryptocurrency organizations have chosen Discord as their community of choice, threat actors may be able to commit fraud and steal money if they manage to get their hands on a moderator token or those of another verified community member.
A recent analysis of a sample of the new AXLocker ransomware by Cyble researchers revealed that it not only encrypts data but also takes the Discord tokens of its victims. The malware and the threat actors who employ it are not very sophisticated as ransomware. The ransomware targets specific file extensions and avoids particular directories when it is run.
AXLocker employs the AES technique to encrypt files but does not add a filename extension. Therefore, the encrypted files are displayed with their original names. Then, via a webhook URL, AXLocker delivers a victim ID, system information, browser data, and Discord tokens to the threat actors’ Discord channel. AXLocker will use regular expressions to scan the following folders for tokens and extract them to steal the Discord token:
- Discord\Local Storage\leveldb
- discordcanary\Local Storage\leveldb
- Opera Software\Opera Stable\Local Storage\leveldb
- Google\Chrome\User Data\\Default\Local Storage\leveldb
- Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
- BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
The ransom note eventually appears, alerting the victims that their data has been encrypted and providing information on how to get in touch with the threat actor to buy a decryptor. The ransom amount is not specified in the message, but victims are given 48 hours to contact the assailants using their victim ID. Although this ransomware targets consumers rather than businesses, it might nevertheless represent a serious danger to sizable populations.
Change your Discord password right away if you discover that AXLocker has encrypted your computer since doing so will invalidate the token that the ransomware has taken. Even while your files won’t be recovered, doing this will stop the future compromise of your data, accounts, and the communities you participate in.