Remember the names: Octocrypt, Alice and AXLocker, because we will definitely hear about them again.
Experts from Cyble Research and Intelligence Labs (CRIL) have discovered three new strains of ransomware: AXLocker, Octocrypt and Alice.
AXLocker encrypts victims' files and steals Discord tokens from the infected computer. The analysis of the code showed that using the startencryption() function, the malware searches for the necessary files by sorting through the available directories on the C:\ drive. AXLocker only targets files with a specific extension and excludes some directories from the encryption list.
The malware uses the AES encryption algorithm to encrypt files. Unlike other ransomware, it does not change the name or extension of the encrypted one.
After encrypting the necessary files, AXLocker collects and sends the following set of information to attackers:
Computer name;
Username;
computer IP address;
UUID of the system;
Discord tokens.
The malware uses regular expressions to search for Discord tokens in local storage files and then sends them to the attackers' Discord server along with other information.
When finished with data encryption and information collection, AXLocker displays a window containing a note with instructions and a request to contact the operators. The note does not specify the amount that the victim must pay for the decryption of their data.
In addition to AXLocker, Cyble researchers also discovered two other ransomware:
Octocrypt. This malware is written in Golang and distributed using the Ransomware-as-a-Service (RaaS) scheme. Attackers offer to buy it for $400:
Alice. Little is known about this malware. The researchers found out only that it is also distributed according to the RaaS scheme.
And even though all of the above ransomware is more aimed at ordinary users, experts believe that they can pose a threat to large companies as well.