After Sodinokibi, DeathRansom, Clop, and SNAKE, now comes the Ako ransomware. Like most others, this malware also targets businesses and aims to spread over entire networks instead of individual systems.
Bleeping Computer have shared their analysis of new ransomware in town. This time, it is the Ako ransomware that poses a threat to organizations.
The ransomware caught their attention after a victim posted about it on their forum. The victim revealed that the ransomware affected the Windows 10 desktop and Windows SBS 2011 server.
Together with Vitali Kremez of SentinelLab, Bleeping Computer analyzed the malware and discovered it as a new ransomware. While the initial analysis hinted some similarities with MedusaLocker, the Ako operators have confirmed it to be their ‘own product’. According to their email to Bleeping Computer,
In brief, Ako works in quite a sophisticated manner, by first deleting the shadow volume copies and recent backups after infection. Moreover, it also disables the Windows recovery environment before beginning the data encryption.
Then, during the encryption process, it skips files with .exe, .sys, .dll, .ini, .key, .lnk, and .rdp extensions. Moreover, it also excludes the files paths lacking $,AppData, Program Files, Program Files (x86), AppData, boot, PerfLogs, ProgramData, Google, Intel, Microsoft, Application Data, Tor Browser, Windows strings.
While encrypting the files, it adds a randomly generated extension to the files, it also adds a CECAEFBE file marker to the encrypted files so that the ransomware can identify them. It then checks other machines on the network to complete the encryption process. And, in the end, it places the ransom note entitled “ako-readme.txt” on the desktop.