Go to listing page

AXLocker, Octocrypt, and Alice Driving Next Waves of Ransomware Attacks

AXLocker, Octocrypt, and Alice Driving Next Waves of Ransomware Attacks
Ransomware operators are evolving by expanding the scope of their operations by developing and adopting new tools in cyberattacks. Recently, Cyble researchers discovered three new ransomware families, AXLocker, Octocrypt, and Alice, in widespread attacks.

AXLocker: a two-in-one threat

AXLocker is a not-so-sophisticated malware that encrypts victims' files and demands a ransom payment, as well as steals the Discord accounts of infected users. 
  • It targets consumer Windows systems rather than enterprise ones. Upon execution, it targets certain file extensions and excludes specific folders. It uses the AES algorithm for encryption and does not change the filename or extension after encryption.
  • It uses the grab function to scan several directories and extracts Discord tokens using regular expressions across multiple browsers, including Opera, Google Chrome, BraveSoftware, and Yandex.
  • AXLocker collects and sends stolen information such as computer name, username, machine IP address, system UUID, system details, data stored in browsers, victim ID, and Discord tokens to the operators’ Discord channel using a webhook URL.

It informs victims with a pop-up window containing a ransom note that their data has been encrypted. They are given 48 hours to contact the attackers with their victim ID, however, the ransom amount or the purchase amount of a decryptor isn't mentioned in the note.


Octocrypt is a new Golang-based ransomware strain that has a simple web interface for building the encryptor and decryptor.
  • It operates as a RaaS business model and surfaced on cybercrime forums around October for $400. It targets all Windows versions and uses the AES-256-CTR algorithm for encryption. It will append .octo extension after encryption.
  • After infection, it drops a ransom note in multiple folders and changes the victim’s desktop background, threatening to send a ransom amount to a specific Monero wallet address.


Alice is a new ransomware that, like OctoCrypt, works under a RaaS business model. It surfaced on cybercrime forums under the TAs project of ‘Alice in the Land of Malware’.
  • Alice operators can generate ransomware binary files with a customized ransom note using Alice ransomware builder. It encrypts the victim’s files after execution, adds .alice extension, and drops ransom notes in multiple folders.
  • The builder is sold for $600 for one month and $1,400 for three months. In addition, it offers negotiation options with the operator for buying the builder forever, or for any modifications.


A considerable increase has been observed in cybercrime activity and hackers are actively selling their products on cybercrime forums without any regulation. Even with new tools and techniques, they successfully maintain a low profile to avoid drawing the attention of law enforcement agencies. Organizations must implement the requisite security best practices and security controls to prevent sophisticated and aggressive ransomware.
Cyware Publisher