AXLocker Ransomware Leaves Filenames Untouched

AXLocker is a new ransomware strain spotted in the wild in mid-November 2022. The ransomware does not belong to any larger family of variants.

AXLocker encrypts files on the compromised system, encrypts their contents making them unreadable and then displays a ransom demand notice in a pop-up window.

Unlike almost every other strain of ransomware, AXLocker does not alter the original file names of encrypted files, which means it will be impossible to visually tell which files are encrypted and which are not before you try opening them.

The encryption will affect the majority of widely used extensions and file types including documents, media files, archives and executables.

Upon successful encryption, the ransom note is displayed in a pop-up window and no plain-text file is generated anywhere. The full ransom note reads as follows:

WARNING!!
Private key will be deleted in:
(timer module)
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. The server will eliminate the key after a time period specified in this window.
Warning!!
1. Do not turn off the ransomware, if you do so the private key will be deleted.
2. Do not turn off the computer.
How can i decrypt my files?
Send email to: anoynmous.axo at proton dot me with your personal id
Once you will send the email you have to wait 48 Hours
After 48 Hours we will send you a decryption program with your decryption key
Your unique personal ID:
(long alphanumeric string)