April 26, 2021 By David Bisson 2 min read

Most ransomware actors are in it for the money. But, that doesn’t appear to be the case for whoever created the ‘Hog’ crypto-malware strain.

Instead, Hog’s operators informed at least some of their victims that they’ll restore the affected files if those victims agree to join their Discord server. Read on to learn how this new ransomware verifies whether a victim has complied with this unusual data security problem.

A Discord User Token for All

The encryptor used by Hog began by checking to see if a certain Discord server existed. If this check came back positive, the ransomware strain proceeded to encrypt a victim’s files. It appended the .hog extension to the file names of all of the affected files and extracted its decryptor feature. It then automatically ran this decryption utility from the Windows Startup folder after completing its encryption routine.

The ‘Hog Ransomware Decryptor’ component informed a victim that the malware had encrypted their files using AES-256. It went on to tell them that they could recover their files if they agreed to join their Discord server. They could do this using a Discord account token shared by the component.

By handing out tokens, the ransomware attackers ensured that they could authenticate themselves to Discord’s application programming interface as their victims. They could use that process to confirm whether the victims had indeed joined their server.

If the victim complied, the Hog Ransomware Decryptor feature proceeded to decrypt the victim’s files. The ransomware would do this even if it failed to confirm the existence of the attackers’ server.

A Growing Preference for Discord Among Ransomware Actors

Hog isn’t the first malware family that’s leveraged Discord in some way. Threat actors misused the Discord content delivery network (CDN) to target others — even non-Discord users — with a variety of threats in February, according to Zscaler. People who do have accounts also face other Discord security issues, such as a 2019 Discord phishing attack.

One of those instances involved a loader that dropped a sample of Epsilon onto a victim’s machine. In that attack, the ransomware strain established persistence, then encrypted a victim’s files. After completing its encryption routine, Epsilon then used Discord’s CDN network as a command-and-control server. Through this, it downloaded its ransom note along with an image of that message to function as a victim’s desktop wallpaper.

Trend Micro discovered two new ransomware families in March. One of those threats, dubbed ‘Humble’, used a public webhook from Discord in order to establish communication with its handlers. It also leveraged the webhook to publish infection reports pertaining to its victims.

How to Defend Against Hog

The analysis published by Bleeping Computer didn’t mention how Hog’s operators distribute it. With that said, the best way for organizations to currently protect themselves against Hog is to follow general ransomware prevention steps. Those measures include building a positive security culture. Invest in a security awareness training program, which makes sure employees are familiar with phishing attacks and other common vectors for ransomware.

In addition, you might consider putting technical controls in place designed to limit the impact of a successful ransomware infection. For instance, user behavior analytics can spot a potential account compromise, security policies can prevent the data theft and data backups can restore systems in the event of an infection or other application security problem.

More from News

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Biden-⁠Harris administration releases roadmap to enhance internet routing

2 min read - The Biden-Harris Administration has taken another step toward improving the nation’s cybersecurity. In September, the White House Office of the National Cyber Director (ONCD) announced it was putting policies in place to address a key security vulnerability associated with the Border Gateway Protocol (BGP). BGP is a set of rules that helps the internet work by selecting the best route for data to travel between networks. It is a fundamental protocol that allows networks to communicate with each other. However,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today