Ako
AKO is a ransomware family active from at least January 2020.
Profile source: Mallory opens in a new tabAko
Family profile
AKO is a ransomware family active from at least January 2020. The provided content describes it as a double-extortion operation that initially targeted corporate networks with exposed RDP services, encrypting victim data while also stealing files and demanding an additional payment to delete the stolen data. If victims do not pay, AKO publishes the data on its "Data Leak Blog" leak site. AKO is also discussed alongside MEDUSALOCKER, ThunderX, AVADDON, and RANZY in comparative technical analysis, where it is described as a C++ ransomware family using AES-256-CBC for symmetric encryption and RSA for asymmetric encryption, with a unique encryption key generated per file. It is reported to append the file signature value 0xBEEFCACE in an end-of-file structure. The content further states that AKO shares code and functional similarities with MEDUSALOCKER-related families, uses ICMP-based network discovery, and deletes backups/shadow copies using Windows utilities such as wbadmin, bcdedit.exe, and vssadmin.exe, while also emptying the Recycle Bin. Mandiant analyzed AKO as a MEDUSALOCKER variant, and the content notes that AKO and RANZY reportedly used the same Tor onion shaming site: 7rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd[.]onion. Additional context indicates AKO-related infrastructure appeared in BraZZZerS fast-flux/proxy logs among multiple malware families, but no AKO-specific indicators beyond that mention are provided.
Ransomware.live
Operational record
MITRE ATT&CK
Ako in ATT&CK
4 distinct techniquesReporting
Research mentioning Ako
One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant | Google Cloud Blog
Mandiant analyzed multiple samples of MEDUSALOCKER, Ako, ThunderX, AVADDON and RANZY... *Ako (MEDUSALOCKER variant)
An inside view of domain anonymization as-a-service - the BraZZZerSFF infrastructure | by Benoit ANCEL | CSIS TechBlog | Medium
Those logs are quite diverse, you can see requests from multiple botnet families, for example ISFB, PsixBot, DJVU, Nemty, Ako, Riltok, Coalabot, Cryptbot, Megumin, Azorult, KPOT, Betabot, ZLoader, DiamandFox, Vidar, Lokibot, TinyNuke, OSX malware…
List of ransomware that leaks victims' stolen files if not paid
AKO ransomware began operating in January 2020... If payment is not made, the victim's data is published on their "Data Leak Blog" data leak site.