Bad actors use new ransomware aptly called “Hog” to encrypt the victims’ device and then tells the victim to join their Discord server in order to decrypt it.
The ransomware was reported by security researchers at MalwareHunterTeam. They detected an in-development decryptor for the Hog Ransomware that works by demanding victims to join the developer’s Discord server.
“In order to decrypt your files, you will need to join our Discord server. Have a nice day!” read their tweet.
BleepingComputer reported they found the encryptor component for the ransomware. Upon execution, the malware will check if a particular Discord server exists, and encrypts the victims’ files if it confirms the server exists.
It appends the .hog extension to the encrypted files. Once the ransomware has finished encrypting the device, it proceeds by extracting the decryptor component. After that, the malware launches the decryptor program with the title DECRYPT-MY-FILES.exe from the Windows Startup folder.
This decryptor sends the above message to the victim and prompts them to provide their user token for Discord.
The ransomware uses the stolen Discord token to authenticate itself via Discord’s APIs. After this, it checks if the victim joined their server, as the code below shows.
“If the victim has joined the server or the server does not exist, the ransomware will decrypt the victims’ files using a static key embedded in the ransomware,” BeepingComputer explains.
This ransomware is still in development and hasn’t been spotted in the wild. But it illustrates how ransomware actors never stop looking for new ways to reach their victims and starting to use Discord more often.
Discord is rather often used by threat actors to distribute malware or steal users’ personal data.
Another Discord ransomware with extortion techniques – Humble, recently discovered by Trend Micro – prompts victims to pay ransom otherwise they threaten to post the victim’s private details to the threat actor’s Discord server. The bad actors can do that using a webhook.