Ako ransomware is cryptomalware that targets entire networks of businesses and organizations

Ako ransomware is the new strain of ransom-demanding threats that mainly targets corporate networks instead of regular consumer machines. Initially discovered after a company's Windows 2011 server of an anonymous company was encrypted, researchers identified it as a new, never-before-seen strain of malware in January 2020. However, it later became clear that malware stems from MedusaLocker. Since then, several versions of Ako ransomware were released, and the attackers took on the data leaking technique, which is employed by all major ransomware operators.
The initial release of Ako ransomware showed the ransom-demanding message and asked victims to contact criminals via email (davidgoldman@cock.li, portedhiggens@firemail.cc). Later, cybercriminals changed the primary communication method that relies on the Tor anonymous network. Both versions deliver the file named ako-readme.txt on the system after the encryption that contains the ransom note, which demands 0.5 – 1 Bitcoin for data release, although this sum can vary from company to company. During encryption, files are appended with a random string of alphanumeric characters.
A few samples detected by victims gave the opportunity for researchers to analyze the threat in-depth.[1] After the investigation, it was discovered that Ako ransomware starts the attack by deleting shadow volume copies, clearing backups, disabling file recovery options, and other security functions. Also, to make matters worse and the file recovery less possible, ransomware is set to create registry entries, alter existing keys, and then start encrypting the targeted data.
| Name | Ako ransomware |
|---|---|
| Symptoms | The virus encodes files and makes them useless, so the ransom gets demanded, and developers can make money from the victim. The threat also alters settings, disables functions and installs other programs on the system to control more than encoded data |
| File marker | Ako makes a random character extension unique for each victim |
| Versions | Two separate versions of the threat got discovered from samples released by victims. (Samples 1[2] and 2[3]) The only difference is that one variant directly redirects to payment site and other offers to contact criminals first |
| Possible relation | Researchers found that the strain is heavily based on MedusaLocker due to similarities in coding, behavior, and ransom notes. However, ransomware developers stated that this is their own creation, not associated with previous ransomware releases |
| Ransom note | ako-readme.txt – a file that delivers initial instructions and possible solutions to victims |
| Ransom amount | The amount asked from victims starts with 0.5 Bitcoin but can go up to 1 BTC and even more |
| Targets | Large businesses, networks of organizations and companies |
| Distribution | The threat most likely infects machines through hacked Remote Desktop services or malicious emails and websites filled with malware |
| Contact emails | davidgoldman@cock.li, portedhiggens@firemail.cc |
| Elimination | You need to remove Ako ransomware with anti-malware tools that can detect the threat itself and clean the machine from applications and files associated with the threat |
| Repair | Since ransomware runs on the machine and disables functions, deletes particular files, you need to change a lot of the settings and fix the damage. When the virus is removed, go through the system with a PC repair look like FortectIntego and make sure that registry entries and system files get recovered and fixed |
Like other cryptocurrency-extortion based threats, Ako virus avoids program files, system data, and application-related files when choosing what to encode. When commonly used data gets encrypted, all files become useless and get marked using the random extension generated to signify which files are affected. Once that is done on the particular machine, the virus performs a scan that shows any devices responding to the network connection, so the whole network can get encrypted.
Ako ransomware places the ransom note on the desktop in the text file named ako-readme.txt that contains URL to the Tor payment site where the ransom payment can get transferred. The page also shows the statement “Your network have been locked” that fully determines the particular target of virus developers -networks.
The said ransom note also has a Personal ID that contains the extension, network configuration settings, encrypted key that is needed for decryption. This ID is required on the Tor site when Ako ransomware victims want to access the payment form and see the particular ransom amount, further instructions. The chat service can also be found these, so the person can submit one file for test decryption.
Ako ransomware ransom message displays the following:
Your network have been locked.
All your files, documents, photos, databases and other important data are encrypted and have the extension: .2Zrl5j
Backups and shadow copies also encrypted or removed. Any third-party software may damage encrypted data but not recover.
From this moment, it will be impossible to use files until they are decrypted.
The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recovery your files.
To get info (decrypt your files) follow this steps:
1) Download and install Tor Browser: https://www.torproject.org/download/
2) Open our website in TOR:xxxx: //kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/AHXYFYBKTAXNGRZB
3) Paste your ID in form (you can find your ID below)
!! ATTENTION !!
!! Any third – party software may damage encrypted data but not recover.
!! DO NOT MODIFY ENCRYPTED FILES
!! DO NOT CHANGE YOUR ID
!! DO NOT REMOVE YOUR ID.KEY FILE
— BEGIN PERSONAL ID —
eyJleHQiOiIuMlpybDVqIiwgImtleSI6InozNWRzcEZaOFltMEs0bW4xQVNrZE0
*** [556 characters in total]
— END PERSONAL ID —
Ako ransomware uses the AES encryption algorithm[4] and seems to have no flaws in the coding, so decryption is not possible at the time. However, paying is not recommended because cybercriminals cannot be trusted. Many companies that have suffered such infections before, didn't pay also.[5] If you are related to the company that suffered this attack, rely on professional IT specialist that can recover the network and get rid of the intruder. 
To reverse those changes that Ako cryptovirus have already made on the system, you should rely on the proper antivirus program that can safely delete registry entries, recover affected ones, repair system files, and settings. If you try to make those changes yourself, functions and settings can get damaged further and possibly get unrepairable. Automatic cleaners like FortectIntego, or PC repair tools, system optimizers can do that for you and without causing additional issues.
Even though ransomware creators stated that their target networks only, you as an individual user can also experience such infection on the machine. As for Ako ransomware removal or data recovery, individual machines and networks need to be cleaned from all the traces of the virus before any file restoring.
You can try to remove Ako ransomware with anti-malware tools and run the scan on the network, machine, or particular device to find the virus-related files and malicious programs. After this, data backups are the best option for such encoded data and possibly damaged files. You can find a few more options for file recovery below. 
Weakly protected RDP connections – one of the main attack vectors for company-targeting ransomware
Hackers target valuable information that can be accessed by entering the system with the help of devices and tools. When the system is not properly secured, and vulnerabilities allow breaking through the protection, there are bigger chances that machine gets affected by malware like ransomware.
Breaking in the vulnerable network, server, or device becomes easy when RDP hacking is used. It is a common technique used by attackers. Another method used by ransomware developers is payload droppers included on malicious sites or attached as files to emails.
When you receive any suspicious email, pay close attention to important details like the sender, attachments, and typos, or grammar mistakes. Malicious actors pose as companies or services to make people less suspicious. Also, keep the system secured and up-to-date by using system tools, security software, and patch needed flaws more often.
Get rid of Ako ransomware virus from the system
You need to note that the Ako ransomware virus is dangerous and can make other changes on your device besides directly affecting those files during encryption. Many system folders, essential files, and crucial program-related data get directly affected by the threat, so you cannot reverse those setting changes.
You need to remove Ako ransomware completely from the machine, including planted malicious files, installed programs, and other malware that keeps the cryptovirus persistent. This is achievable if you go for proper anti-malware tools and scan the machine fully.
Such Ako ransomware removal method allows detecting all traces and cleaning the machine from the virus. You should note that all those system changes require attention too. Rely on SpyHunterCombo Cleaner or MalwarebytesMalwarebytes and check the machine for any ransomware traces and virus damage. Then go through methods below that show how to restore files.
Was this guide helpful?
Be the first to comment