Sinister AXLocker Ransomware Adds Insult To Injury By Stealing Your Discord Account

axlocker ransomware stealing discord account news
Researchers at the cybersecurity company Cyble have published a technical analysis of a new ransomware known as “AXLocker.” Aside from the regular data encryption performed by ransomware, AXLocker also searches victims’ systems for Discord login tokens, then hands these tokens over to the threat actor behind the ransomware. While victims are busy attempting to recover their encrypted data, the threat actor can use these stolen credentials to access victims’ Discord accounts, which the threat actor may use to further distribute the ransomware.

Ransomware is a growing cause for concern in the information security field. Just last week, the Federal Bureau of Investigation (FBI) and other US government agencies issued a joint cybersecurity advisory warning cybersecurity professionals about the Hive Ransomware gang, which has stolen a total of $100 million from over 1,300 organizations. Two weeks before the publication of this advisory, the White House convened the second International Counter Ransomware Summit. Leading up to the event, a senior Biden administration official warned that the growth of ransomware attacks is outpacing the United States’ ability to combat them.

This growth is driving new innovations in the ransomware space, with Android malware developers trying to get in on the action by adding ransomware capabilities to their malicious software. An already established ransomware gang is also experimenting with the use of data corruption in place of data encryption. The addition of a Discord account-stealer, as seen in AXLocker, marks further experimentation among ransomware developers.

axlocker ransom note news
AXLocker Ransom Note (click to enlarge) (source: Cyble)

After encrypting the majority of data stored on infected Windows machines, AXLocker checks the systems for Discord directories, as well as directories for the Brave, Chrome, Opera, and Yandex browsers. If the ransomware locates these directories and finds Discord authentication tokens stored within them, AXLocker exfiltrates the tokens, sending them to the threat actor conducting these ransomware attacks. Whether AXLocker finds any Discord authentication tokens or not, the ransomware also collects system information, including computer name, username, IP address, and system UUID (universally unique identifier), and transmits it to the threat actor.

Once AXLocker has completed all its nefarious tasks, it opens a window informing the user that the files on the affected system have been encrypted with a private key. In order to obtain this private key and decrypt one’s files, the ransom note instructs the user to contact the threat actor and pay a ransom fee within a set time limit. A timer near the top of the window counts down the remaining time before the private key is deleted. The ransom note makes no mention of any stolen Discord authentication tokens, leaving victims oblivious to the act of theft perpetrated by the ransomware. Otherwise, victims might know to immediately change their Discord passwords to invalidate the stolen login tokens.