Detecting a new ransomware strain, not asking for data ransom, but only needing the victim to join the Hacker’s Discord server

International security researchers have just stumbled upon a strain of ransomware that possesses rather strange behavior. Known as “Hog”, this ransomware still enters the system and encrypts the victim’s data file. However, it only accepts requests to decrypt the file if the victim participates in the Discord server controlled by the people behind the malware.

More specifically, security researcher from MalwareHunterTeam has found a decryptor developed for “Hog ransomware”, which requires victims to join the Discord server if they want their files to be resolved. code.

The encryptor of the malware was subsequently discovered. When executed, it checks to see if a particular Discord server exists and, if so, will start encrypting the victim’s file.

When successfully encrypting a victim’s file, the malicious code appends the .hog extension to the file extension as shown below, and automatically extracts the decoder component.

After Hog has encrypted the target device, it will immediately launch the DECRYPT-MY-FILES.exe decoder from the Windows Startup folder.

This decoder will explain the victim in detail what happened to them, and then prompt the victim to enter the Discord user token created specifically for them.

If you do not know then Discord is a voice and text chat system, allowing communication with others. Anyone can create a discussion host whatever they want. You can find people to talk to about Valkyrie and form teams at most times of the day. Learn more about Discord in THIS article.

The Discord token allows the ransomware to authenticate against the Discord APIs as users and check if they join their server, as shown by the source code below.

If the victim joined the server or the server doesn’t exist, the ransomware decrypts the victim’s files using the static key embedded in the ransomware.

While this appears to be a ransomware in development, it does show a tendency for threat actors to start using Discord more often for malicious activities.

Another ransomware named Humble was recently spotted by Trend Micro, using a webhook to post details about the new victims to the hackers’ Discord server.

In addition, Discord is often used by threat agents to spread malware or collect stolen data.

In the face of this situation, it is important that administrators and network security tools increase the deployment of Discord traffic monitoring for early detection of threats or unusual behavior.