Logo for Discord app

Recent Ransomware Attack Encrypts Your Data Before Stealing Your Discord Account

The ransomware attack, called “AXLocker,” not only encrypts victims’ data and demands a ransom payment, but also steals targeted users’ Discord accounts. It is a new ransomware found in November 2022.

A user authentication token kept on the computer is sent back by the platform when a user logs into Discord using their credentials. Afterwards, this token may be used to log in as the user or to send API queries to get data from the connected account.

Because tokens allow them to hijack credentials or, even worse than that, utilise them for other malicious attacks, threat actors usually try to steal these tokens. For NFT platforms and cryptocurrency organisations, Discord has risen as the community of choice. Threat actors may be able to execute attacks and steal money if they manage to take the token of a moderator or another verified community member.

Ransomware Attack Carries a Double Vulnerability

AXLocker poses a dual vulnerability. Cyble researchers recently investigated a sample of the new AXLocker ransomware and found that it not only encrypts data but also takes the Discord tokens of its victims.

In terms of ransomware, neither the software nor the threat actors that employ it are very complex. As seen in the screenshot below, when the ransomware is activated, it will target particular file extensions and ignore particular directories.

File-extensions-to-use-for-encryption
Encrypting file extensions and excluding directories from encryption (cyble)

AXLocker ransomware encrypts data with the AES encryption technique. However, it does not attach a filename extension to encrypted files, thus they are shown with their original names. The ransomware’s encrypted file may be seen in the image below once it has successfully infected the victim’s computer.

AXLocker malware has encrypted a file
File encrypted by the ransomware AXLocker (Cyble)

After the victim’s files have been encrypted, the ransomware captures and transmits sensitive data to threat actors, including the victim’s computer name, username, machine IP address, system UUID, and Discord tokens.

AxLocker will scan selected directories for tokens and extract them using regular expressions to steal the Discord token. It searches the local storage files for the Discord tokens using regex, stores them in a list, and then uses the URL below to transfer them, along with other data, to the Discord server.

Using-the-Discord-token-grabbing-function
Using the Discord token-grabbing function (Cyble)

The ransom note eventually appears, alerting victims that their data has been encrypted and providing information on how to contact the threat actor to buy a decryptor. The attackers allow the victims 48 hours to get in contact with them using their victim ID, but the message makes no mention of the ransom payment.

Ransom-note-from-AXLocker.
Ransom Message from AXLocker (Cyble)

Mitigations

Large communities might still be affected by this ransomware even if it is clear that it is designed to attack people rather than businesses. Change your Discord password right away if you discover that AxLocker has encrypted your computer since doing so will expire the token that the ransomware has taken.

Even while it’s possible that your files won’t be recovered, doing this will stop the future breach of your data, accounts, and the groups you engage in.

Employing the necessary security measures and security controls can help businesses remain ahead of the methods utilised by threat actors. Or they risk falling victim to persistent and more sophisticated ransomware attack.

Avoid clicking on suspicious links and opening email attachments without first checking their authenticity.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts