AXLocker, Octocrypt, and Alice ransomware families are analyzed, detailing AXLocker’s file encryption alongside its Discord token theft, and presenting Octocrypt and Alice as RaaS-style offerings with builder tools and wallet-based ransom models. The piece emphasizes attacker workflows, indicators, and recommended security measures for organizations facing evolving ransomware campaigns. #AXLocker #Octocrypt
Keypoints
- CyBle CRIL identifies three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware.
- AXLocker not only encrypts files but also exfiltrates Discord tokens from local storage and reports them to a TA server.
- AXLocker uses AES-based encryption, enumerates directories, and excludes certain paths during encryption.
- Discord token theft is performed via regex on Local Storage/LevelDB files and exfiltrated to a Discord webhook.
- Octocrypt and Alice operate under a Ransomware-as-a-Service (RaaS) model; Octocrypt includes a builder to generate payloads with API URLs and wallet details.
- Alice provides an encryptor/decryptor pair and a builder; encrypted files gain the .alice extension with ransom notes dropped in multiple folders.
- The reports include a MITRE ATT&CK mapping, example indicators, and recommendations on backups, updates, and monitoring dark web chatter for early warnings.
MITRE Techniques
- [T1204] User Execution – “the ransomware shows a pop-up window that contains a ransom note that gives instructions to victims” — cite the user-facing ransom note as a trigger for user action. “Finally, the ransomware changes the victim’s wallpaper which displays a message” — the user-facing impact.
- [T1059] Command and Scripting Interpreter – “startencryption() function contains code to search files by enumerating the available directories in the C: drive.”
- [T1047] Windows Management Instrumentation – appears in the article’s MITRE mapping as an associated technique used by the campaigns.
- [T1497] Virtualization/Sandbox Evasion – the article maps this defense-evasion technique to AXLocker’s operations.
- [T1528] Steal Application Access Token – used to describe the theft of Discord tokens from local storage and sending them to an actor server.
- [T1087] Account Discovery – part of the discovery category for enumerating accounts or system data.
- [T1082] System Information Discovery – gathering system information as part of reconnaissance.
- [T1083] File and Directory Discovery – the malware enumerates directories and targets specific file types for encryption.
- [T1486] Data Encrypted for Impact – AXLocker and Octocrypt encrypt victim files, rendering them unusable.
- [T1071] Application Layer Protocol – C2 communication to a Discord webhook service for data exfiltration.
- [T1020] Automated Exfiltration – exfiltrating stolen victim details (Discord tokens and machine info) to external servers.
Indicators of Compromise
- [File Hash] context – AXLocker and Octocrypt executable hashes (SHA-256). c8e3c547e22ae37f9eeb37a1efd28de2bae0bfae67ce3798da9592f8579d433c, 9a557b61005dded36d92a2f4dafdfe9da66506ed8e2af1c851db57d8914c4344
- [File Hash] context – Additional AXLocker/Octocrypt related hashes (SHA-256). 346e7a626d27f9119b795c889881ed3dce25203215f689451a2abb52d24216aec153925a, 2afdbca6a8627803b377adc19ef1467de65e3dd30f4628f77dc9c4e766ee8b32
- [File Hash] context – More hashes associated with AXLocker/Octocrypt. ad1c2d9a87ebc01fa187f2f44d9a977cd9793c24290599662adc4c9cba98a192207d9c5a18360f3a642bd9c07ef70d57
- [File Name] context – Ransomware note-related executables. INSTRUCTIONS.html, How to Restore Your Files.txt
- [Extension] context – Encrypted file extensions used by the campaigns. .octo, .alice
- [Directory Path] context – Local storage paths used to locate Discord tokens. DiscordLocal Storageleveldb, discordcanaryLocal Storageleveldb, discordptbleveldb, Opera SoftwareOpera StableLocal Storageleveldb, GoogleChromeUser DataDefaultLocal Storageleveldb, BraveSoftwareBrave-BrowserUser DataDefaultLocal Storageleveldb, YandexYandexBrowserUser DataDefaultLocal Storageleveldb
- [URL] context – Exfiltration/webhook URL used to send stolen data. hxxps://discord[.]com/api/webhooks/1039930467614478378/N2J80EuPMXSWuIBpizgDJ-75[Redacted]DJimbA7xriJVmtb14gUP3VCBBZ0AZR
- [Domain] context – External domain used for C2. discord.com