ako

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the extension .ako to every encrypted file.
  • Renaming Convention: After encryption the filename is transformed into the pattern: ..[[, ]].
    Example: Project.pptx → Project.pptx.t7kc5k.[[email protected], [email protected]].ako

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The first large campaigns using the .ako (Ako/Ako-v2) extension were observed January 2020; the second wave, sometimes called Ako-v3, re-surfaced and spiked in October-November 2020, continuing through early 2021.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    RDP brute-force / credential stuffing (most common) – adversaries discover publicly-exposed RDP (3389/TCP) servers protected only by weak or reused credentials.
    Pirated software loaders/activators masquerading as keygens or cracks deliver the payload.
    Phishing e-mails with malicious attachments (.ISO, .IMG, .ZIP containing .dll or VBS + HTA lures) observed in Ako-v3 campaigns.
    Exploitation of other-known-vulnerability deployment vectors (for lateral movement): once inside, attackers redeploy Ako via legitimate credential-harvesting tools such as Mimikatz and PSExec before push-deployment to every reachable share.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    Close or rate-limit external-facing RDP; if remote access is required enable VPN-only RDP gateways, use MFA, and enforce strict lock-out thresholds.
    Patch quickly: remove any dependencies on SMBv1 (MS17-010), ensure Windows 10/11 (KB4499164, KB4499165, etc.) and third-party software are current.
    Restrict lateral movement: disable network-wide “Everyone/Full Control” shares, apply network segmentation, and force least-privilege.
    Deploy modern EDR/NGAV with exploit protection and enable Tamper Protection to prevent Ako from disabling security services via SafeMode.
    Review daily backups using 3-2-1 strategy (at least 3 total copies, 2 media types, 1 offline/air-gapped or immutable via storage snapshots/WORM).

2. Removal

  • Infection Cleanup:
  1. Disconnect from the network immediately (pull ethernet/power off Wi-Fi) to stop self-propagation.
  2. Boot into Safe Mode with Networking or use an offline rescue clean ISO built by Trend Micro or Kaspersky.
  3. Launch a reputable anti-malware suite (e.g., Malwarebytes, ESET, Sophos, or Bitdefender) with signatures updated ≥2021-06-01 (post-Ako definitions).
  4. Scan entire system and quarantine the ransom-executable (name is random; kill process and remove persistence via scheduled task “msupdate” and registry Run key).
  5. Clear Volume Shadow Copied remnants and restore healthy system boot sectors.

3. File Decryption & Recovery

  • Recovery Feasibility: No public decryptor exists. Ako/Ako-v2 uses an RSA-1024 key pair unique to each victim, asymmetrically encrypted in an online kick-off phase, then wiped from the local store; brute-force is computationally infeasible.
    Recover via clean backups only.
    • If offline backups are unavailable but Recycle-Bin/Shadow Copies were not wiped, third-party undelete tools (Recuva, Photorec) sometimes salvage partial / unencrypted copies; however Ako also deletes VSS.
  • Essential Tools/Patches:
    • Ensure endpoint protection works on fully-patched hosts (Windows Updates through KB4601050 and later).
    • Update EDR signatures (CrowdStrike, SentinelOne, etc.) to Ako-specific YARA+behavior rules released Feb-2021.
    • Use shut-down-on-doubt (so-called “Ransomware Protection Switch”) built into Windows 10 2004+ Controlled Folder Access with custom exclusions for only trusted apps.

4. Other Critical Information

  • Additional Precautions: Ako is built in C++ and is notable for revoking user privileges (removing current user from local administrators group) and wiping or encrypting restore points. It commands a multi-language dark-net data-leak site (ako[.]safe:8080) where attackers threaten public release of exfiltrated stolen data; treat this as a triple extortion variant.
  • Broader Impact: Ako infected dozens of SMEs (legal firms, medical practices, accounting), several educational institutions in the US/EU, and municipal service providers; the global cost estimated by recovery firms exceeds USD $50 million across 2020-21. Fast forwarding: re-branded fragments were later absorbed into the Sodinokibi/REVIL ecosystem circa 2022, underscoring how threat actors recycle code. Always retain vigilance against seemingly “old” variants like Ako because they continue to resurface on unpatched legacy systems.