Ako
Known to be a RaaS
Description
First observed in early January 2020 (initial victim post on January 9, 2020), Ako (also known as MedusaReborn) operates under a Ransomware-as-a-Service (RaaS) model, with daily beta builds reportedly offered for affiliates. It uses a double-extortion approach—encrypting files and exfiltrating data, with subsequent threats to leak the data via a dedicated leak site. Delivery primarily occurs via malspam, often through password-protected ZIP attachments containing malicious .scr executables. After compromise, it deletes shadow copies and disables recovery, then encrypts files—excluding certain extensions—and appends random six-character suffixes, dropping files like ako-readme.txt and id.key. Encryption is carried out using unspecified algorithms, but its behavior aligns closely with MedusaLocker variants. Known targets include networked Windows environments, potentially across multiple sectors. No notably high-profile or geographically specific incidents are detailed.
| External Analysis |
| https://digital.nhs.uk/cyber-alerts/2020/cc-3345 |
| https://tripwire.com/state-of-security/ako-ransomware-using-spam-attachments-to-target-networks |
| https://attackiq.com/2025/01/09/emulating-ako-ransomware |
| https://sonicwall.com/blog/ako-ransomware-demands-3000-operators-hide-behind-tor |
| Urls |
Screen |
| http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion |
|
| Chat servers |
Screen |
| http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/ |
|