- Ako falls in the category of most modern ransomware as it does not remain confined to individual systems and spread through networks.
- The ransomware places the ransom note entitled “ako-readme.txt” on the desktop.
As disclosed by the team of Bleeping computer, Ako ransomware was seen targeting the entire network rather than just individual workstations.
The Ako ransomware was discovered after a victim posted about it on the forum. Bleeping Computer analyzed the malware and discovered that it was a new ransomware.
- As per the victim, the ransomware affected the Windows 10 desktop and Windows SBS 2011 server.
- Though the initial analysis by the researchers had hinted some similarities with MedusaLocker, the attackers said in an email that it was their own product.
In the email (to the Bleeping Computer team), the threat actor said “We see news about us. But that is wrong. About MedusaReborn. We have nothing to do with Medusa or anything else. This is our own product – Ako Ransomware, well, this is if you are of course interested.”
How does it work?
Ako works in quite a sophisticated manner.
- Upon entering the system, the ransomware first deletes the shadow volume copies and recent backups.
- It then disables the Windows recovery environment before beginning the data encryption.
- While encrypting the files, it adds a randomly generated extension to the files. It also adds a CECAEFBE file marker to the encrypted files so that the ransomware can identify them.
- During the encryption, it skips files with .exe, .sys, .dll, .ini, .key, .lnk, and .rdp extensions. It also excludes the files paths lacking $, AppData, Program Files, Program Files (x86), AppData, boot, PerfLogs, Tor Browser, Windows strings, ProgramData, Google, Intel, Microsoft, Application Data.
- It then checks other connected machines on the network to complete the encryption process.
- In the end, the ransomware places the ransom note entitled “ako-readme.txt” on the desktop.
A serious threat
Hackers told the Bleeping Computer team that they also steal some data as part of their ‘job’.
- Ako falls in the category of the modern ransomware as it does not remain confined to individual systems and spread through networks.
- By infecting the entire network, it thus compels the victim firms to pay the ransom, which could cost them millions.
As of now, it wasn’t clear what technique do the attackers use to distribute the malware. However, as per researchers, it was likely that attackers exploit Remote Desktop services for spreading the infection.