Hackers Use New Ransomware that Encrypts Files & Steals Tokens From Victim’s Machine

Security researchers at Cyble recently identified that the authors of ransomware now have access to a brand new malicious tool – AXLocker – which has the ability to encrypt and make the multitude of file types unusable.

As one of the most profitable and important malware families for threat Actors, ransomware has rapidly become one of the most important threat types.

Attack Flow

There are three new ransomware families of the following were uncovered: AXLocker, Octocrypt, and Alice Ransomware.

Attackers behind the AXLocker ransomware steal the discord tokens and accounts of infected users. After encrypting files on the victim’s computer, a ransom note is portrayed. This note gives the victim instructions on how to obtain the decryption tool. Cyble researchers said via technical report.

Discord tokens stolen by hackers can be used to perform the following actions:

• Log in as the user
• Obtain information about the associated account by issuing API requests

NFT platforms and cryptocurrency groups have turned to Discord as a preferred community for communication. 

So, it’s obvious that an attacker could make use of the Discord moderator token as well as the tokens of other verified community members to carry out scams and steal funds through fraudulent use of them.

The new AXLocker ransomware has been marked as one of the most sophisticated malware since it steals Discord tokens of its victims along with encrypting the files of their victims.

While the threat actors who use this malicious tool do not possess any particular sophistication when it comes to their actions.

After the ransomware has been executed, it encrypts files by calling a function called startencryption() on the system which hides its presence by modifying the attributes of its files.

A startencryption() function is responsible for enumerating the available directories on the C:/ drive and finding files in them by using the code contained in the function. 

The encryption process is controlled by looking for encryptable file extensions and excluding a list of directories from being encrypted.

This is followed by the ransomware calling the ProcessFile function, which will then execute the EncryptFile function that encrypts the system files of the victim by using the fileName as the argument.

The AES algorithm is used by AXLocker when encrypting files. However, the encrypted files do not have any extension appended to their filenames, so they appear with the same names as the original.

Then it uses a webhook URL through which it sends the following data to the Discord channel that’s under the control of the threat actors:-

• Victim ID
• System details
• Data stored in browsers
• Discord tokens

While apart from this security analysts also detected two more ransomware families and here they are mentioned below:-

• Octocrypt Ransomware
• Alice Ransomware

There is a RaaS (Ransomware-as-a-Service) business model behind both of this ransomware. All Windows versions are targeted by these new variants of ransomware.

Targeted Directories

Among the directories targeted by the malware for stealing Discord tokens are the following ones:-

• Discord\Local Storage\leveldb
• discordcanary\Local Storage\leveldb
• discordptb\leveldb
• Opera Software\Opera Stable\Local Storage\leveldb
• Google\Chrome\User Data\\Default\Local Storage\leveldb
• BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
• Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

However, it is important to note that although this ransomware is primarily directed at consumers, but, still it could pose a substantial threat to large communities and enterprises as well.

Recommendations

Here below we have mentioned all the recommendations offered by the experts:-

• Backups should be conducted regularly.
• Make sure to store your backups in the cloud or on a separate network.
• It is recommended that you enable automatic software updates on your computer, mobile phone, and any other connected devices whenever possible and practical.
• Your connected devices, like your computer, laptop, and mobile phone, should be protected with a reputable anti-virus and Internet security software package.
• Make sure you verify the authenticity of email attachments and links before opening them.
• Devices that are infected on the same network should be disconnected.
• Ensure that external storage devices are disconnected if they are connected.
• Make sure that system logs are checked for suspicious activity.
• We recommend reading Ransomware Attack Response and Mitigation Checklist.

Managed DDoS Attack Protection for Applications – Download Free Guide