New Ransomware that Encrypts Files & Steals Tokens From Victim’s Machine

New Ransomware that Encrypts Files & Steals Tokens From Victim’s Machine
Attackers%20Use%20New%20Ransomware%20that%20Encrypts%20Files

Security researchers at Cyble recently identified that the authors of ransomware now have access to a brand new malicious tool – AXLocker – which has the ability to encrypt and make the multitude of file types unusable.

As one of the most profitable and important malware families for threat Actors, ransomware has rapidly become one of the most important threat types.

Attack Flow

There are three new ransomware families of the following were uncovered: AXLocker, Octocrypt, and Alice Ransomware.

Attackers behind the AXLocker ransomware steal the discord tokens and accounts of infected users. After encrypting files on the victim’s computer, a ransom note is portrayed. This note gives the victim instructions on how to obtain the decryption tool. Cyble researchers said via technical report.

Discord tokens stolen by hackers can be used to perform the following actions:

  • Log in as the user
  • Obtain information about the associated account by issuing API requests

NFT platforms and cryptocurrency groups have turned to Discord as a preferred community for communication. 

So, it’s obvious that an attacker could make use of the Discord moderator token as well as the tokens of other verified community members to carry out scams and steal funds through fraudulent use of them.

The new AXLocker ransomware has been marked as one of the most sophisticated malware since it steals Discord tokens of its victims along with encrypting the files of their victims.

While the threat actors who use this malicious tool do not possess any particular sophistication when it comes to their actions.

After the ransomware has been executed, it encrypts files by calling a function called startencryption() on the system which hides its presence by modifying the attributes of its files.

x0y2W3HulIsQaOxYZtXBE3DowduuKLDdhLGx92YUnqvh R5o3QXDLpP3htYrANniuUa0 ZKciiTEwN7Yy IrrkEPFIgFRinCGoot1eV B3v E8LPzpT5HrqhNIyH4V 5Cq KENCCoF90a94Z5NJxeRktjimV3l1djrup 7v4SC4tLsiBhgOn50O8KdSIhA

A startencryption() function is responsible for enumerating the available directories on the C:/ drive and finding files in them by using the code contained in the function. 

The encryption process is controlled by looking for encryptable file extensions and excluding a list of directories from being encrypted.

Mj eypW5BQnLyh6B5peaBBpGg8O1rcerl2N DOpW1DqaLxH5UNPDbn7owqtrxnYJiLjsMHEWDQF6H8Ws8pQQKgQBPz5r0Oj9tWwbxS dQ9x6z NAfbzywix77AnHryAeHuoaQg9gfXKCr30HqltwdMCMf Jjt7Y1DAjzkb Syq pcAA

This is followed by the ransomware calling the ProcessFile function, which will then execute the EncryptFile function that encrypts the system files of the victim by using the fileName as the argument.

The AES algorithm is used by AXLocker when encrypting files. However, the encrypted files do not have any extension appended to their filenames, so they appear with the same names as the original.

Then it uses a webhook URL through which it sends the following data to the Discord channel that’s under the control of the threat actors:-

  • Victim ID
  • System details
  • Data stored in browsers
  • Discord tokens

While apart from this security analysts also detected two more ransomware families and here they are mentioned below:-

  • Octocrypt Ransomware
  • Alice Ransomware

There is a RaaS (Ransomware-as-a-Service) business model behind both of this ransomware. All Windows versions are targeted by these new variants of ransomware.

Targeted Directories

Among the directories targeted by the malware for stealing Discord tokens are the following ones:-

  • DiscordLocal Storageleveldb
  • discordcanaryLocal Storageleveldb
  • discordptbleveldb
  • Opera SoftwareOpera StableLocal Storageleveldb
  • GoogleChromeUser Data\DefaultLocal Storageleveldb
  • BraveSoftwareBrave-BrowserUser DataDefaultLocal Storageleveldb
  • YandexYandexBrowserUser DataDefaultLocal Storageleveldb

However, it is important to note that although this ransomware is primarily directed at consumers, but, still it could pose a substantial threat to large communities and enterprises as well.

Recommendations

Here below we have mentioned all the recommendations offered by the experts:-

  • Backups should be conducted regularly.
  • Make sure to store your backups in the cloud or on a separate network.
  • It is recommended that you enable automatic software updates on your computer, mobile phone, and any other connected devices whenever possible and practical.
  • Your connected devices, like your computer, laptop, and mobile phone, should be protected with a reputable anti-virus and Internet security software package.
  • Make sure you verify the authenticity of email attachments and links before opening them.
  • Devices that are infected on the same network should be disconnected.
  • Ensure that external storage devices are disconnected if they are connected.
  • Make sure that system logs are checked for suspicious activity.
  • We recommend reading Ransomware Attack Response and Mitigation Checklist.

Managed DDoS Attack Protection for Applications – Download Free Guide

administrator

Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!