news
New ransomware encrypts files, then steals your Discord account
Discord is one of the social networks used today. If you have used teamspeek, this program is an updated version of it. You have the ability to talk with others and also share the image of your webcam and your computer or phone at the same time. It also provides an attractive environment for chatting like Telegram. done.
New ransomware encrypts files, then steals your Discord account
Discord is one of the social networks used today. If you have used teamspeek, this program is an updated version of it. You have the ability to talk with others and also share the image of your webcam and your computer or phone at the same time. It also provides an attractive environment for chatting like Telegram. done.
Like all other social networks, there are limitations for your information, and in this article, we have provided one of those limitations for you:
The new AXLocker ransomware family not only encrypts victims' files and demands a ransom payment, but also steals the Discord accounts of infected users.
When a user somehow logs into Discord with this ransomware, the platform asks you for an authentication that is stored in the system. This authentication is later used by the system to log in as a user or issue API requests that retrieve information about the associated account.
Threat actors usually try to steal these tokens because they can take over accounts or, even worse, exploit them for more malicious attacks.
Since Discord has become the community of choice for NFT platforms and cryptocurrency groups, stealing a moderator token or other verified community members can allow abusers to commit fraud and steal funds.
AxLocker is a two-in-one threat
Cyble researchers recently analyzed a sample of the new AXLocker ransomware and found that it not only encrypts files, but also steals the victim's Discord credentials.
As ransomware, there is nothing complicated about the malware or the threat actors that use it.
As shown in the image below, when executed, the ransomware targets specific file extensions and deletes specific folders.
When encrypting a file, AXLocker uses the AES algorithm, but does not add a filename extension to the encrypted files, so they appear with their normal names.
AXLocker then sends a victim's ID, system details, browser cached data, and Discord credentials to the attacker's Discord channel using a webhook URL.
To steal Discord data, AxLocker scans the following directories and extracts tokens using regular expressions:
Discord\Local Storage\leveldb
discordcanary\Local Storage\leveldb
discordptb\leveldb
Opera Software\Opera Stable\Local Storage\leveldb
Google\Chrome\User Data\\Default\Local Storage\leveldb
BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb
Finally, AXLocker shows the victim a page similar to the advertisement pages on the sites, which is a text request from the victim and warns that the person's information is encrypted and how to communicate with the hacker to return the information.
Usually, the person who was attacked is given 48 hours to communicate with the hacker and obtain his information.
If you find that this ransomware has encrypted your computer, in the case of Discord, you should immediately change your password
so that the hacker cannot continue to steal your information with the previous password.
Although your encrypted files will not be returned, at least the rest of your information can be safe and you can prevent them from
being stolen.
