Cyble Research and Intelligence Labs has discovered three new ransomware families that encrypt the victim’s documents and enable a Discord ATO (account takeover) to steal data.
The three variants include AXLocker, Octocrypt, and Alice Ransomware. It is worth noting that Discord is relatively popular among crypto and gaming communities.
Ransomware Details- AXLocker
Code analysis of the AXLocker ransomware revealed that it functions like any malware but only targets file extensions with AES encryption. The Startencryption() function makes the system capable of searching documents by enumerating the available directories on the C:\ drive. Unlike other ransomware, AXLocker never modifies the encrypted files’ names or extensions.
Before encrypting, the ransomware steals the Discord tokens. The platform uses these tokens to authenticate users after logging into their accounts. This lets the attackers hijack the accounts for further malware propagation and fraud.
Once the Discord tokens are sent to an external server and the files are encrypted, the ransomware displays a pop-up window that contains the ransom note. There’s a timer that keeps ticking until the decryption key gets deleted.
Octocrypt
Another ransomware variant discovered by Cyble security researchers was Octocrypt. It is ransomware-as-a-service ransomware that targets Windows-based systems. Octocrypt was found in October 2022 and can be purchased on cybercrime forums for $400.
The variant’s web panel builder lets attackers generate ransomware binary executables after entering API, URL, crypto address, crypto amount, and contact email ID. Threat actors may download the payload file by clicking the URL contained in the web panel under payload details.
Alice
The third ransomware variant discovered was dubbed Alice or Alice in the Land of Malware. The ransomware builder is available for only $600 per month, and in return, the buyer gets responsive support, customization elements, and faster encryption capabilities. Moreover, it also offers compatibility with Asian/Arab PCs.
In their blog post, Cyble researchers stated that organizations should improve their scanning for the early warning signs of new variants and compromised credentials to thwart potential attacks. Enterprises must stay ahead of the attack techniques threat actors use to target their systems. This is possible only through implementing security best practices and enhanced security controls.
“Threat actors are increasingly attempting to maintain a low profile to avoid drawing the attention of law enforcement agencies.”
