The new AXLocker ransomware family not only encrypts victims’ files and demands ransom, but also steals infected users’ Discord accounts. When a user logs into Discord with their credentials, the platform returns the user’s authentication token stored on the computer. This token can then be used to log in as a user or make API requests that get information about the associated account.

Attackers often try to steal these tokens because they allow them to hijack accounts or worse yet use them for further malicious attacks. As Discord has become the community of choice for NFT platforms and cryptocurrency groups, stealing a moderator or other verified community member’s token could allow threat actors to commit scams and steal funds.

AxLocker is a two-in-one threat

Cyble researchers recently examined a sample of the new AXLocker ransomware and found that it not only encrypts files but also steals the victim’s Discord tokens. There is nothing particularly complicated about ransomware or the threat actors that use it. Once the ransomware is launched, it will target certain file extensions and exclude certain folders as shown in the image below.

.

AXLocker uses the AES algorithm when encrypting a file, but does not add a filename extension to the encrypted files, so they appear with their normal name. AXLocker then sends the victim’s identity, system information, data stored in browsers, and Discord tokens to the attackers’ Discord channel via a webhook URL.

To steal a Discord token, AxLocker scans the following directories and extracts the tokens using regular expressions:

• Discord\Local Storage\leveldb
• discordcanary\Local Storage\leveldb
• discordptb\leveldb
• Opera Software\Opera Stable\Local Storage\leveldb
• Google\Chrome\User Data\\Default\Local Storage\leveldb
• BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb
• Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb

Victims are then presented with a ransom note popup informing them that their data has been encrypted and how to contact the threat to purchase a decryptor. Victims are given 48 hours to contact the attackers with the victim’s identity, but the ransom note does not mention the ransom amount.

While this ransomware clearly targets consumers rather than businesses, it can still pose a serious threat to large communities. Therefore, if you find that AxLocker has encrypted your computer, you should immediately change your Discord password as it will invalidate the token stolen by the ransomware. This may not help you restore your files, but it will prevent further hijacking of your accounts, data, and communities you join.