cyber security

Hackers Use New Ransomware that Encrypts Files & Steals Tokens From Victim’s Machine

Security researchers at Cyble recently identified that the authors of ransomware now have access to a brand new malicious tool – AXLocker – which has the ability to encrypt and make the multitude of file types unusable.

As one of the most profitable and important malware families for threat Actors, ransomware has rapidly become one of the most important threat types.

Attack Flow

There are three new ransomware families of the following were uncovered: AXLocker, Octocrypt, and Alice Ransomware.

Attackers behind the AXLocker ransomware steal the discord tokens and accounts of infected users. After encrypting files on the victim’s computer, a ransom note is portrayed. This note gives the victim instructions on how to obtain the decryption tool. Cyble researchers said via technical report.

Discord tokens stolen by hackers can be used to perform the following actions:

  • Log in as the user
  • Obtain information about the associated account by issuing API requests

NFT platforms and cryptocurrency groups have turned to Discord as a preferred community for communication. 

So, it’s obvious that an attacker could make use of the Discord moderator token as well as the tokens of other verified community members to carry out scams and steal funds through fraudulent use of them.

The new AXLocker ransomware has been marked as one of the most sophisticated malware since it steals Discord tokens of its victims along with encrypting the files of their victims.

While the threat actors who use this malicious tool do not possess any particular sophistication when it comes to their actions.

After the ransomware has been executed, it encrypts files by calling a function called startencryption() on the system which hides its presence by modifying the attributes of its files.

A startencryption() function is responsible for enumerating the available directories on the C:/ drive and finding files in them by using the code contained in the function. 

The encryption process is controlled by looking for encryptable file extensions and excluding a list of directories from being encrypted.

This is followed by the ransomware calling the ProcessFile function, which will then execute the EncryptFile function that encrypts the system files of the victim by using the fileName as the argument.

The AES algorithm is used by AXLocker when encrypting files. However, the encrypted files do not have any extension appended to their filenames, so they appear with the same names as the original.

Then it uses a webhook URL through which it sends the following data to the Discord channel that’s under the control of the threat actors:-

  • Victim ID
  • System details
  • Data stored in browsers
  • Discord tokens

While apart from this security analysts also detected two more ransomware families and here they are mentioned below:-

  • Octocrypt Ransomware
  • Alice Ransomware

There is a RaaS (Ransomware-as-a-Service) business model behind both of this ransomware. All Windows versions are targeted by these new variants of ransomware.

Targeted Directories

Among the directories targeted by the malware for stealing Discord tokens are the following ones:-

  • Discord\Local Storage\leveldb
  • discordcanary\Local Storage\leveldb
  • discordptb\leveldb
  • Opera Software\Opera Stable\Local Storage\leveldb
  • Google\Chrome\User Data\\Default\Local Storage\leveldb
  • BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
  • Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

However, it is important to note that although this ransomware is primarily directed at consumers, but, still it could pose a substantial threat to large communities and enterprises as well.


Here below we have mentioned all the recommendations offered by the experts:-

  • Backups should be conducted regularly.
  • Make sure to store your backups in the cloud or on a separate network.
  • It is recommended that you enable automatic software updates on your computer, mobile phone, and any other connected devices whenever possible and practical.
  • Your connected devices, like your computer, laptop, and mobile phone, should be protected with a reputable anti-virus and Internet security software package.
  • Make sure you verify the authenticity of email attachments and links before opening them.
  • Devices that are infected on the same network should be disconnected.
  • Ensure that external storage devices are disconnected if they are connected.
  • Make sure that system logs are checked for suspicious activity.
  • We recommend reading Ransomware Attack Response and Mitigation Checklist.

Managed DDoS Attack Protection for Applications – Download Free Guide


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Splunk Flaw Let Attackers Escalate Privilege Using crafted web Request

Splunk is one of the most used SIEM (Security Incident and Event Management) tools worldwide.…

13 hours ago

Amazon Ring Employees Able to Access Every Single Camera Customer Video

California-based Ring LLC endangered its customers’ privacy by allowing any employee or contractor to see…

18 hours ago

Millions of PC Motherboard Were Sold With Backdoor Installed

Gigabyte systems have been identified by the Eclypsium platform for exhibiting suspicious backdoor-like behavior. This…

19 hours ago

Free Threat Hunting Platform Security Onion Released Updates – What’s New!

The third Beta version of Security Onion 2.4 is made available by Security Onion Solutions.…

2 days ago

Toyota Server Misconfiguration Leaks Owners Data for Over Seven Years

The Leak discloses Address, Vehicle Identification Number (VIN), Email address, Phone number, Name, and Vehicle…

2 days ago

Dark Pink APT Group Compromised 13 Organizations in 9 Countries

Dark Pink has successfully targeted 13 organizations across 9 countries, highlighting the extent of their…

3 days ago