Ako Ransomware: Another Day, Another Infection Attacking Businesses – BleepingComputer

Like moths to a flame, new ransomware targeting businesses keep appearing every day as theyare enticed by the prospects of million-dollar ransom payments. An example of this is a new ransomware called Ako that is targeting the entire network rather than just individual workstations.

Ako was discovered yesterday when a victim postedin the BleepingComputer support forums about a new ransomware that had encrypted both their Windows 10 desktop and theirWindows SBS 2011 server.

After looking at the ransom note and the Tor payment site, it quickly became apparent that this was not a ransomwareinfection we had seen before.

Looking on VirusTotal, I was able to find an oldersample of the ransomwareand shared it with SentinelLab's Vitali Kremez who offered to help analyze it. Soon after, newer samples [1, 2] were found that allowed us to see a broader picture of how this ransomware works.

According to Kremez, who performed the analysis of the ransomware, Ako shares some similarities to MedusaLocker that has led people to call it MedusaReborn.

"This is the new ransomware-as-a-service offering under development with the version 0.5 that seems to be inspired by the Medusa Locker behavior including its anti-Windows behavior and registry mapped drive disable targeting and isolating specific machines for encryption," Kremez told BleepingComputer.

The ransomware operators confirmed this by telling BleepingComputer via email that the Ako ransomware is their own program.

"We see news about us. But that is wrong. About MedusaReborn. We have nothing to do with Medusa or anything else. This is our own product - Ako Ransomware, well, this is if you are of course interested."

To make matters worse, when we asked the ransomware operators if they are stealing data before encrypting, they told us "Yes, it's our job."

When started, Ako will first execute the following commands to delete shadow volume copies, clear recent backups, and disable the Windows recovery environment.

It will alsocreate the Registry valueEnableLinkedConnectionsunder theHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemregistry key and set it to1. This is done to make sure mapped drives are accessible even in a UAC launched process.

The ransomware will now begin to encrypt files on the device.

When encrypting files, Ako will encrypt all files that do not match the ".exe,. dll, .sys, .ini, .lnk, .key, .rdp" extensions and whose paths do not contain the following strings:

When a file is encrypted, it will be renamed to and a randomly generated extension will be appended to the file name. For example, 1.doc would be encrypted and renamed to1.doc.Ci3Qn3 as shown below.

Appended to the contents of each file will also be aCECAEFBEfile marker that can be used to identify that this file was encrypted by Ako. This file marker can be seen in the hex editor of an encrypted file below.

During the encryption process, Ako will usethe GetAdaptersInfo function to get a list of network adapters and their associated IP addresses.

The ransom will then perform a ping scan of any local networks using the IcmpSendEcho function to create a list of responding machines.

Any machines that respond, will be checked for network shares to encrypt as well.

When the ransomware is finished, the encryption key used to encrypt the victim's files will itself be encrypted and stored in a file namedid.key on the victim's Windows desktop.

Also on the desktop will be a ransom note named ako-readme.txt. This note contains a URL to access the Ako Tor payment site in order to get payment instructions. This site is located athttp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion.

Note how the ransom note states that "Your network have been locked" to indicate they are targeting networks and not individual devices. When we asked the ransomware developers whether they target both both networks and individual workstations, they told BleepingComputer that they are "Only working on network."

Included in the ransom note is a 'Personal ID' that when decoded becomes a JSON formatted object containing the extension, encrypted key, network configuration setting, a subid most likely used for affiliates, and the ransomware's version. The version is currently at .5.

When a victim accesses the Tor site they will need to enter their personal ID to see the ransom demand and instructions.

This Tor payment site also includes a chat service and the ability to decrypt 1 file, which is a bit low as most ransomwareinfections allow the decryption of at least threefiles.

Unfortunately, in a brief analysis byID-Ransomware owner Michael Gillespie, the encryption method used by Ako appears to be secure.

If a weakness is discovered, we will be sure to post more information. For now, if you wish to discuss this ransomware or need help, you can use our Ako Ransomware Support & Help topic.

Furthermore, it is not known how this ransomware is distributedbut is most likely through hacked Remote Desktop services. If you are affected by this ransomware, we would be interested in learning how your network became infected.

Go here to read the rest:
Ako Ransomware: Another Day, Another Infection Attacking Businesses - BleepingComputer