AXLocker is a new ransomware strain discovered in mid-November 2022. It has the peculiarity that, upon infecting you, it encrypts the files of the victims and demands a ransom payment, but it also steals the Discord accounts of the infected users. A 2×1 virus.
This dangerous computer virus is very harmful as it can not only leave you out of the game of necessary personal files, but it can also steal your Discord account.
The AXLocker virus first encrypts your files
The potential danger of AXLocker is twofold. First of all, its potential danger is that on infected computers it encrypts personal data such as documents, photos, databases, etc. and demands victims to pay money for its decryption. Unlike other ransomware infections, which usually rename encrypted data, usually by adding new extensions, AXLocker leaves files in their original appearance.
AXLocker encrypts files on the infected system making them unreadable and therefore not executable, before displaying a ransom demand notice in a pop-up window. When executed, the ransomware will target certain file extensions and exclude specific folders, attacking the files most likely to be opened and thus urging that ransom payment for decryption and a return to normality.
When encrypting a file, AXLocker uses the AES algorithm, so they appear with their normal names, and later sends a victim ID, system details, data stored in browsers, and Discord tokens to the threat actors’ Discord channel. via a webhook URL. Victims have 48 hours to contact the attackers with their victim ID , but the ransom amount is not mentioned in the note.
In case of infection, you can use automatic decryptors such as Kaspersky’s Rakhni Decryptor tool , which can decrypt AXLocker files. Dr. Web offers a free decryption service for owners of its products: Dr.Web Space Security or Dr.Web Enterprise Security Suite. Other users can request help decrypting AXLocker files by uploading samples to Dr. Web Ransomware Decryption Service .
It also steals your Discord account
It is precisely in Discord that we found the second vulnerability that this ransomware takes advantage of. As Discord has become the community of choice for NFT platforms and cryptocurrency groups, stealing a token from a moderator or other verified community member could allow threat actors to run scams and steal funds.
Cyber criminals steal Discord tokens by browsing the following directories:
- DiscordLocalStorageleveldb
- discordcanaryLocalStorageleveldb
- discordptbleveldb
- Opera Software Opera Stable Local Storage level db
- GoogleChromeUserDataDefaultLocalStorageleveldb
- BraveSoftwareBrave-BrowserUserDataDefaultLocalStorageleveldb
- YandexYandexBrowserUser DataDefaultLocal Storageleveldb
If you find that AxLocker encrypted files on your computer, you should immediately change your Discord password , as it will invalidate the token stolen by the ransomware.
