Home Cyber Attack One More Threat For Organizations – The Ako Ransomware

One More Threat For Organizations – The Ako Ransomware

by Abeerah Hashim
Ako Ransomware

After Sodinokibi, DeathRansom, Clop, and SNAKE, now comes the Ako ransomware. Like most others, this malware also targets businesses and aims to spread over entire networks instead of individual systems.

About Ako Ransomware

Bleeping Computer have shared their analysis of new ransomware in town. This time, it is the Ako ransomware that poses a threat to organizations.

The ransomware caught their attention after a victim posted about it on their forum. The victim revealed that the ransomware affected the Windows 10 desktop and Windows SBS 2011 server.

Together with Vitali Kremez of SentinelLab, Bleeping Computer analyzed the malware and discovered it as a new ransomware. While the initial analysis hinted some similarities with MedusaLocker, the Ako operators have confirmed it to be their ‘own product’. According to their email to Bleeping Computer,

We see news about us. But that is wrong. About MedusaReborn. We have nothing to do with Medusa or anything else. This is our own product – Ako Ransomware, well, this is if you are of course interested.

In brief, Ako works in quite a sophisticated manner, by first deleting the shadow volume copies and recent backups after infection. Moreover, it also disables the Windows recovery environment before beginning the data encryption.

Then, during the encryption process, it skips files with .exe, .sys, .dll, .ini, .key, .lnk, and .rdp extensions. Moreover, it also excludes the files paths lacking $,AppData, Program Files, Program Files (x86), AppData, boot, PerfLogs, ProgramData, Google, Intel, Microsoft, Application Data, Tor Browser, Windows strings.

While encrypting the files, it adds a randomly generated extension to the files, it also adds a CECAEFBE file marker to the encrypted files so that the ransomware can identify them. It then checks other machines on the network to complete the encryption process. And, in the end, it places the ransom note entitled “ako-readme.txt” on the desktop.

A Serious Threat To Businesses

They told Bleeping Computer, before encrypting the data, they also steal it as part of their ‘job’.

Moreover, Ako, like most modern ransomware, also does not remain confined to individual systems. Rather the attack aims at infecting the entire network, thus, compelling the victim firms to pay the ransom.

For now, it isn’t clear how the attackers behind this ransomware distribute it. Yet, Lawrence Abrams deems it ‘likely’ that the malware exploits Remote Desktop services for spreading the infection.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid