Detecting a new ransomware strain, not asking for data ransom, but only needing the victim to join the Hacker's Discord server
International security researchers have just stumbled upon a strain of ransomware that possesses rather strange behavior. Called 'Hog', this ransomware still enters the system and encrypts the victim's files.
However, it only accepts requests to decrypt the file if the victim participates in the Discord server controlled by the people behind the malware.
More specifically, security researcher from MalwareHunterTeam just found a decryptor developed for 'Hog ransomware', which requires victims to join the Discord server if they want their files to be resolved. code.
The encryptor of the malicious code was later discovered. When executed, it checks to see if a particular Discord server exists and, if so, will start encrypting the victim's file.
When successfully encrypting a victim's file, the malicious code appends the .hog extension to the file extension as shown below, and automatically extracts the decoder component.
After Hog has encrypted the target device, it will immediately launch the DECRYPT-MY-FILES.exe decoder from the Windows Startup folder.
This decoder will explain the victim in detail what happened to them, and then prompt the victim to enter the Discord user token created specifically for them.
If you don't already know, Discord is a voice and text chat system that allows you to communicate with others. Anyone can create a discussion host whatever they want. You can find people to talk to about Valkyrie and form teams at most times of the day. Learn more about Discord in THIS article.
The Discord token allows the ransomware to authenticate against the Discord APIs as users and check if they join their server, as shown by the source code below.
If the victim joined the server or the server doesn't exist, the ransomware decrypts the victim's files using the static key embedded in the ransomware.
While this appears to be a ransomware in development, it does show a tendency for threat actors to start using Discord more often for malicious activities.
Another ransomware named Humble was recently spotted by Trend Micro, using a webhook to post details about the new victims to the hackers' Discord server.
In addition, Discord is often used by threat agents to spread malware or collect stolen data.
In the face of this situation, it is important that administrators and network security tools increase the deployment of Discord traffic monitoring for early detection of threats or unusual behavior.
You should read it
- PureLocker - a very 'weird' ransomware strain that can encrypt servers
- Chinese hackers use ransomware as bait to hide cyber espionage
- Why is Ransomware the perfect hack?
- Even DSLR cameras can be easily attacked by ransomware
- Warning: These 3 dangerous ransomware could explode all over the world, 1800 large enterprises were 'shot'.
- Shade Ransomware stopped working, apologized to the victims, and released 750,000 decryption keys
- Forecast 2021: The world of security will be devastated by ransomware '
- Mexico's largest oil and gas corporation has been attacked by ransomware, presenting a cyber security disaster
- List of the 3 most dangerous and scary Ransomware viruses
- No More Ransom - the flag of the war against ransomware
- Detecting two unusual versions of ransomware, shows that the world of ransomware has become diversified
- Ransomware (ransomware) is showing signs of explosion worldwide, paying is no longer the most effective option.
Maybe you are interested
Organisms with the largest 'population' on Earth How to get free Gems in Empires & Puzzles Top 5 most beautiful slim waist correction apps Facebook Messenger now has a COVID-19 information hub YouTube's source code leaked, revealing the entire platform measure used to control YouTubers Some rookie tips in AxE Alliance vs Empire