New AXLocker Ransomware Steals Victims' Discord Tokens

Written by

Security researchers have warned of a new ransomware variant that not only encrypts the victim’s files but also attempts to steal data by enabling a Discord account takeover (ATO).

Aimed at consumers, the “AXLocker” ransomware functions in a fairly typical way, targeting certain file extensions with AES encryption, before extorting the victim.

However, before encrypting, it steals the Discord tokens used by the platform to authenticate users when they enter their credentials to log-in to an account.

Doing so enables the threat actors to hijack these accounts for follow-on fraud and malware propagation. The messaging platform is particularly popular among the gaming and crypto communities, but is also a hotbed of malicious activity.

After sending the stolen Discord tokens to an external server and encrypting the victim’s files, AXLocker will show a pop-up window containing the ransom note, with a timer ticking down until the decryption key is deleted.

The research team at Cyble also revealed two additional new ransomware variants.

Octocrypt is a ransomware-as-a-service (RaaS) offering that targets all Windows versions.

Discovered around October 2022, it’s available on cybercrime forums for just $400, according to Cyble. The variant appears to have been designed for ease of use.

“The Octocrypt web panel builder interface allows threat actors to generate ransomware binary executables by entering options such as API URL, crypto address, crypto amount and contact email address,” the vendor explained.

“Threat actors can download the generated payload file by clicking the URL provided in the web panel under payload details.”

The final new ransomware variant discovered by Cyble is dubbed “Alice” or “Alice in the Land of Malware.”

Its developers are selling a ransomware builder for just $600 per month, promising responsive support, fast encryption, customizable elements and compatibility with “Asian/Arab PCs.”

Cyble argued that organizations must get better at scanning the dark web for the early warning signs of new variants, as well as compromised credentials and vulnerability exploits that can forewarn them of potential attacks.

“Threat actors are increasingly attempting to maintain a low profile to avoid drawing the attention of law enforcement agencies,” it concluded.

“Enterprises need to stay ahead of the techniques used by threat actors and implement the requisite security best practices and security controls, or they will become the victims of increasingly sophisticated and aggressive ransomware.”

What’s hot on Infosecurity Magazine?