Researchers over at Cyble have discovered a new ransomware called AXLocker that’s stealing victims’ Discord accounts and encrypting their files with standard AES encryption.
As ransomware, there’s nothing too special about AXLocker. Upon execution, it targets certain file extensions while excluding a few folders required for Windows to function so as not to shut down a user’s system. Contrary to many other ransomware, AXLocker doesn’t append anything to the file name, therefore tricking the users into thinking their files are still unencrypted.
Once the target PC is encrypted, the ransomware sends a victim ID, system details, IP address, UUID, browser data and Discord authentication tokens to the attacker’s Discord channel using webhooks.
Every time a user logs into Discord, the program sends an authentication token saved locally on their PC to verify their identity. This token can also make API calls to Discord’s backend that fetch user account information.
AXLocker looks for these tokens everywhere, from the Discord app’s folders to where browsers might save their data. It scans the following directories looking for the token using a regular expression:
- Discord\Local Storage\leveldb
- discordcanary\Local Storage\leveldb
- Opera Software\Opera Stable\Local Storage\leveldb
- Google\Chrome\User Data\\Default\Local Storage\leveldb
- BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
- Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
While it operates largely similarly to any of the other prevalent ransomware out there, the fact that it also steals Discord authentication tokens means that threat actors gain access to victims’ Discord accounts which can be used to spread the infection further. The aforementioned list makes it clear that Google Chrome, Opera, Brave, and Yandex browsers are all susceptible to the attack.
Post exploitation, the ransomware will present users with a ransom note that states the process to get the decryption key. It presents users with a victim ID and asks them to contact the attackers using said ID to get the decryption key, only giving them 48 hours to do so. There’s no ransom amount mentioned in the note, indicating that attackers might be engaging with victims on a personal level.