A new ransomware called the Ako ransomware has emerged, and it exhibits behavior different from the previously discovered ones. According to the report, a victim of this new malware posted in an online forum after his Windows 10 desktop and SBS 2011 server got encrypted.
An analysis launched by the Bleeping Computer revealed that the Ako ransomware is a new malware based on its ransom note and Tor payment site. However, it shares similarities with MedusaLocker with its “registry mapped drive disable target” and how it isolates machines for encryption as well as the anti-windows behavior.
Due to the shared similarities, it is likely to associate the Ako ransomware to the same ransomware operator of MedusaLocker. An email received by the Bleeping Computer from the ransomware operator clarified that they have nothing to do with the MedusaLocker which is also called MedusaReborn. They claimed that the Ako ransomware is their product, and also admitted that stealing data before encrypting is their job.
This product has been deployed and it is possibly available to other threat actors on the dark web. The primary goal of the Ako ransomware is in line with the other big names in the market. Its goal is to encrypt data and demand ransom through a displayed ransom note.
Image Source: www.roundthenet.com
According to the report, the Ako ransomware goes through some steps to encrypt data by first deleting the shadow windows copies and recent backups. It then executes a command to disable the windows recovery environment and create a registry value before encrypting data. Whiles encrypting the data, the list of network adapters and their associated IP addresses are collected using the GetAdaptersInfo.
A ping scan of local networks would be performed in a bid to create a responding machine according to the analysis published by the Bleeping Computer. In this case, responding machines would be scanned for network shares before encrypting them.
The researchers discovered that the Ako ransomware has been designed to encrypt the encryption key used in encrypting the targeted computer. The encrypted key is saved in the id.key file on the victim’s computer. After a successful encryption process, a ransom note would be displayed in the victim’s desktop labeled as ako-readme.txt. This contains a link that leads the victim to their Tor payment site including the instruction on how to make the payment and the amount.
The victim would need to enter a Personal ID to be able to access the payment instructions on the Tor site, and this Personal ID is found in the ransom note. A quick search on the Tor site revealed that it has a chat service. It also has the ability to decrypt just one file compared to the other ransomware infections that allow decryption of about three files.
Another source reveals that the ransom notes usually contain email addresses of threat actors who take the victims through the ransom payment process. On the Tor payment sites, victims are asked to buy a decryption key to unlock their encrypted data which is mostly purchased for 0.479 BTC. If payment is not made within two days, the purchasing amount is increased to 0.9576 BTC.
Another discovery made on the Ako ransomware is that the main target of the infection is the network instead of a workstation. This came to mind after the researchers realized the ransom note states “Your network has been locked”.
They enquired from the ransomware operator whether they attack both network and workstation, of which they replied that they are only working on networks. Researchers have not yet discovered how the ransomware is distributed. However, they suspect that it may be distributed through hacked remote desktop service.
Experts do not suggest that ransomware victims follow the instructions of threat actors to pay the ransom, as there is no guarantee of getting the decryption key when the payment is made. Also, threat actors are more likely to target the same facility again if they easily get what they are looking for. In the case of the Ako ransomware, the ransomware operators specifically said that they first steal data before encrypting them. This means they may still sell the copy at their disposal on the dark web after a ransom is made.
Image Source: www.bleepingcomputer.com
Many ransomware has been launched to encrypt files with new ones expected to be launched by threat actors. This puts business and government agencies under constant threat. Though the mode of operation of some of these malware is a bit complex, they can still be prevented by being mindful of the links employees open in their emails, and the kind of websites they visit.
Updating anti-virus tools and taking staff through basic cybersecurity training can be a very good attempt to protect sensitive files against this potent malware launched by threat actors.
Source: Bleeping Computer
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.