After Sodinokibi, DeathRansom, Clop, and SNAKE, now comes the Ako ransomware. Like most others, this malware also targets businesses and aims to spread over entire networks instead of individual systems.
About Ako Ransomware
Bleeping Computer have shared their analysis of new ransomware in town. This time, it is the Ako ransomware that poses a threat to organizations.
The ransomware caught their attention after a victim posted about it on their forum. The victim revealed that the ransomware affected the Windows 10 desktop and Windows SBS 2011 server.
Together with Vitali Kremez of SentinelLab, Bleeping Computer analyzed the malware and discovered it as a new ransomware. While the initial analysis hinted some similarities with MedusaLocker, the Ako operators have confirmed it to be their ‘own product’. According to their email to Bleeping Computer,
We see news about us. But that is wrong. About MedusaReborn. We have nothing to do with Medusa or anything else. This is our own product – Ako Ransomware, well, this is if you are of course interested.
In brief, Ako works in quite a sophisticated manner, by first deleting the shadow volume copies and recent backups after infection. Moreover, it also disables the Windows recovery environment before beginning the data encryption.
Then, during the encryption process, it skips files with .exe, .sys, .dll, .ini, .key, .lnk, and .rdp extensions. Moreover, it also excludes the files paths lacking $,AppData, Program Files, Program Files (x86), AppData, boot, PerfLogs, ProgramData, Google, Intel, Microsoft, Application Data, Tor Browser, Windows strings.
While encrypting the files, it adds a randomly generated extension to the files, it also adds a CECAEFBE file marker to the encrypted files so that the ransomware can identify them. It then checks other machines on the network to complete the encryption process. And, in the end, it places the ransom note entitled “ako-readme.txt” on the desktop.
A Serious Threat To Businesses
They told Bleeping Computer, before encrypting the data, they also steal it as part of their ‘job’.
Moreover, Ako, like most modern ransomware, also does not remain confined to individual systems. Rather the attack aims at infecting the entire network, thus, compelling the victim firms to pay the ransom.
For now, it isn’t clear how the attackers behind this ransomware distribute it. Yet, Lawrence Abrams deems it ‘likely’ that the malware exploits Remote Desktop services for spreading the infection.
Let us know your thoughts in the comments.