Contents:
AXLocker is a new strain of ransomware discovered in late November 2022. It encrypts the files of victims and demands payment, but it also steals the Discord accounts of infected users—a double-edged sword.
How Does The Virus Work?
First, AXLocker encrypts your files. The danger of AXLocker is twofold. First, its potential risk is that it encrypts files on a victim’s computer, including data like documents, photos, and databases.
Secondly, it renames these encrypted files with new extensions. Unlike other ransomware infections, which usually display decrypted files in their original appearance, AXLocker leaves them looking like they haven’t been accessed.
Finally, it encrypts the files on an infected computer and makes them unreadable. That’s why a popup window will display a ransom demand to let users know they just got locked out of their devices.
Once executed, it will attack specific file extensions while preserving folders that aren’t as likely to be opened and thus urging users to pay to decrypt their files and get their computer functioning again.
When encrypting the data on a victim’s computer, AXLocker uses the AES algorithm, causing encrypted files to show up usually, and they will later send a victim ID, system details, data stored in browsers, and Discord tokens to a threat-actor’s Discord channel.
Victims have 48 hours to respond with their ID to provide payment information, but the ransom amount is not mentioned in the note.
Why Discord?
Discord has become the go-to platform for NFT and cryptocurrency communities, making it prime for theft. As a moderator or verified community member, your token could be stolen and used for phishing scams and fraudulent transactions.
There are several directories on Discord that cybercriminals like to access, such as:
- DiscordLocalStorageleveldb;
- discordcanaryLocalStorageleveldb;
- discordptbleveldb;
- Opera Software Opera Stable Local Storage level db;
- GoogleChromeUserDataDefaultLocalStorageleveldb
- BraveSoftwareBrave;
- BrowserUserDataDefaultLocalStorageleveldb;
- YandexYandexBrowserUser DataDefaultLocal Storageleveldb.
If you find yourself in the unfortunate position where AxLocker encrypted files on your computer and you think your Discord password may have been stolen, it would be best to immediately change your Discord password to invalidate the token before it expires.
Although this ransomware targets consumers rather than enterprises, it could still threaten large communities.
How Can Heimdal™ Help?
To take on the latest ransomware threats, we’re offering our customers an outstanding integrated cybersecurity suite, including the Ransomware Encryption Protection module.
This module is compatible with any antivirus solution and is 100% signature-free, ensuring superior detection and remediation of any ransomware.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
