The new ‘AXLocker’ ransomware family is not only encrypting victims’ files and demanding a ransom payment, it is also stealing the Discord accounts of infected users.
When a user logs into Discord with their credentials, the platform sends back a user authentication token which is then saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts.
There is nothing particularly sophisticated about the AXLocker ransomware or the threat actors who use it. When executed, the ransomware will target certain file extensions and exclude specific folders. When encrypting a file, AXLocker uses the AES algorithm, but it does not append a filename extension on the encrypted files. Next, AXLocker sends a victim ID, system details, data stored in browsers, and Discord tokens to the threat actors’ Discord channel using a webhook URL. Eventually, victims are served a pop-up window containing the ransom note, informing them that their data was encrypted and how they can contact the threat actor to purchase a decryptor. Victims are given 48 hours to contact the attackers with their victim ID, but the ransom amount isn’t mentioned in the note.
While this ransomware generally targets consumers rather than the enterprise, it could still pose a significant threat to large communities. Therefore, users that are impacted by AxLocker should immediately change Discord passwords, as it will invalidate the token stolen by the ransomware. While this may not help recover files, it will prevent further compromise of accounts, data, and Discord communities.