Ako

Known to be a RaaS

Description

First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates under a Ransomware-as-a-Service (RaaS) model, with daily beta builds reportedly offered for affiliates. It uses a double-extortion approach—encrypting files and exfiltrating data, with subsequent threats to leak the data via a dedicated leak site. Delivery primarily occurs via malspam, often through password-protected ZIP attachments containing malicious .scr executables. After compromise, it deletes shadow copies and disables recovery, then encrypts files—excluding certain extensions—and appends random six-character suffixes, dropping files like ako-readme.txt and id.key. Encryption is carried out using unspecified algorithms, but its behavior aligns closely with MedusaLocker variants. Known targets include networked Windows environments, potentially across multiple sectors. No notably high-profile or geographically specific incidents are detailed.

External Analysis
https://digital.nhs.uk/cyber-alerts/2020/cc-3345
https://tripwire.com/state-of-security/ako-ransomware-using-spam-attachments-to-target-networks
https://attackiq.com/2025/01/09/emulating-ako-ransomware
https://sonicwall.com/blog/ako-ransomware-demands-3000-operators-hide-behind-tor
Urls
Screen
http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion
File servers
Screen
Chat servers
Screen
http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/
Admin servers
Screen