Skip to content

Novel AXlocker ransomware can encrypt your files and steal your Discord

  • by
  • 3 min read

Researchers over at Cyble have discovered a new ransomware called AXLocker that’s stealing victims’ Discord accounts and encrypting their files with standard AES encryption. 

As ransomware, there’s nothing too special about AXLocker. Upon execution, it targets certain file extensions while excluding a few folders required for Windows to function so as not to shut down a user’s system. Contrary to many other ransomware, AXLocker doesn’t append anything to the file name, therefore tricking the users into thinking their files are still unencrypted.

Once the target PC is encrypted, the ransomware sends a victim ID, system details, IP address, UUID, browser data and Discord authentication tokens to the attacker’s Discord channel using webhooks. 

Every time a user logs into Discord, the program sends an authentication token saved locally on their PC to verify their identity. This token can also make API calls to Discord’s backend that fetch user account information. 

AXlocker ransomware can encrypt your files and steal your Discord
AXLocker encrypts these file types and leaves out the excluded folders. | Source: Cyble

AXLocker looks for these tokens everywhere, from the Discord app’s folders to where browsers might save their data. It scans the following directories looking for the token using a regular expression:

  • Discord\Local Storage\leveldb
  • discordcanary\Local Storage\leveldb
  • discordptb\leveldb
  • Opera Software\Opera Stable\Local Storage\leveldb
  • Google\Chrome\User Data\\Default\Local Storage\leveldb
  • BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
  • Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

While it operates largely similarly to any of the other prevalent ransomware out there, the fact that it also steals Discord authentication tokens means that threat actors gain access to victims’ Discord accounts which can be used to spread the infection further. The aforementioned list makes it clear that Google Chrome, Opera, Brave, and Yandex browsers are all susceptible to the attack. 

AXlocker ransomware can encrypt your files and steal your Discord
A file encrypted by AXLocker. | Source: Cyble

Post exploitation, the ransomware will present users with a ransom note that states the process to get the decryption key. It presents users with a victim ID and asks them to contact the attackers using said ID to get the decryption key, only giving them 48 hours to do so. There’s no ransom amount mentioned in the note, indicating that attackers might be engaging with victims on a personal level. 

In the News: Hive ransomware cost 1,300 victims over $100 million: FBI

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: